05-08-2018 06:21 AM - edited 02-21-2020 10:55 AM
Hello,
Just found something odd.
Custom profile for a few printers.
I then added them to a logical profile.
Created a policy for them.
Tested the printers, they get the profiled.
They show up on the logical profile, I can see all MAC addresses.
They match the policy. Life is great!
A couple days later they don't match anymore. The policy because ISE doesn't see match the logical profile.
Other policies using logical profile are OK
I re-did all the profile policies, logical profile and policy set. It works, but if there is a re-auth they will not match anymore.
I also noticed that the ISE cannot get information from the logical profile.
TAC does not know what is going on, but I work around by creating a policy matching on the profiled device instead of the logical profile and it works.
PS. I have other custom logical profiles and they work just fine.
Has anyone seen this before?
05-08-2018 12:31 PM - edited 05-08-2018 12:31 PM
Hi Rodrigo
I have the same ISE version with the same patch level (Cisco ISE 2.3 Patch2) but I don't use logical profiles I normally use Profiling Policies with Policy Enabled option and use them in Conditions under Authorization rules.
I use Profiling Policies mostly for dynamic assignment (Profiling) and Static assignment via Endpoint group it always work perfectly fine. (Printers, AVAYA IP phones, Cisco AP, CCTV Camera,...etc)
Can you I just ask what the requirement that mandate you to use Logical profile ?
Here is a sample of an Avaya IP Phone normal reauthentication repeated logs
05-08-2018 12:38 PM
I have to group several devices that will use MAB, and give a single authorization policy.
TAC got it fixed, we are monitoring. We had to install patch 3 because of another bug and after the re-start, logical profiles on ISE started to work.
We were not able to troubleshoot the problem very well because there was another bug impacting the log creation and without a log, we were not able to troubleshoot.
05-08-2018 01:16 PM
Hi Rodrigo
Great to hear you issue got fixed. BTW, i'm upgrading this week to patch 3 as well as i have hit 2 bugs already one of them is the one you mentioned above about log creation (CSCvg30444)
Anyway it was TAC recommendation in my case to apply patch 3
05-08-2018 02:03 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide