Solved: Re: ISE 2.4 - Endpoint registration status changed to "Unknown" after re-profiling

Mark Hamilton · ‎06-24-2019

We are experiencing an issue which affects some endpoints after they have been re-profiled. From time to time we see endpoints that have been profiled as a specific type of device (i.e. Windows10-Workstation), get re-profiled as a generic device such as "Microsoft-Workstation" or sometimes "Unknown". This is an issue in itself but it is not the issue I want to discuss in this thread.

After an endpoint gets re-profiled like above, the attributes BYOD Registration and DeviceRegistrationStatus are subsequently changed to "Unknown" as seen below:

As part of our authentication policies we specifically check the BYOD registration status of an endpoint. This means that an endpoint that is affected by this issue, is no longer able to authenticate on the network and the ONLY way we can resolve it is to delete the endpoint from ISE and re-onboard it.

Cisco TAC claim that this is to be expected when an endpoint is re-profiled but I am finding it hard to understand why the REGISTRATION attributes on an endpoint are modified during the re-profiling process.

They also claim that if the endpoint successfully authenticates after this issue has occurred, then it should be re-profiled correctly (e.g. from a Microsoft-Workstation to a Windows10-Workstation) and the registration attributes should be updated. We have not seen this behaviour and we have had to delete the endpoint and re-onboard it every time.

Does anybody else run a BYOD environment and have experienced issues similar to this?

Mark Hamilton · ‎06-24-2019

Hi Francesco,

I've just checked an endpoint which recently hit this issue and it appears that the MAC address is not present in the "RegisteredDevices" group.

There is an exception to the issue I described in the original post. On some endpoints only the BYOD registration attribute is changed to "Unknown" and the DeviceRegistrationStatus attribute remains as "Registered".

In either circumstance I can't imagine why ISE would modify either attribute or remove the MAC address from the registered devices group.

The issue is very similar to a bug we were hitting on ISE 2.3 which is documented under bug ID CSCvm12069. This bug was resolved in a patch release.

View solution in original post

Francesco Molino · ‎06-24-2019

Hi

I deployed several byod infrastructure and this is the first time i hear about such issue.

When it gets re-profiled, does the device mac address is still in the group RegisteredDevices (or whatever group you use in your BYOD onboarding)?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Mark Hamilton · ‎06-24-2019

Hi Francesco,

I've just checked an endpoint which recently hit this issue and it appears that the MAC address is not present in the "RegisteredDevices" group.

There is an exception to the issue I described in the original post. On some endpoints only the BYOD registration attribute is changed to "Unknown" and the DeviceRegistrationStatus attribute remains as "Registered".

In either circumstance I can't imagine why ISE would modify either attribute or remove the MAC address from the registered devices group.

The issue is very similar to a bug we were hitting on ISE 2.3 which is documented under bug ID CSCvm12069. This bug was resolved in a patch release.

Francesco Molino · ‎06-26-2019

Ok that's weird you get devices removed from the registered group. I never faced that issue neither in 2.3 or 2.4

Maybe you will need to call the TAC. Can you reproduce the issue or is it random?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Mark Hamilton · ‎06-26-2019

Yes it is very unusual Francesco and unfortunately we cannot reproduce the issue on demand. The issue is affecting a small number of endpoints at random.

Unfortunately I have already been dealing with TAC on this issue and they have advised me that this is expected behaviour. I have requested that the case be escalated and investigated further.

Mike.Cifelli · ‎06-27-2019

It sounds like you are using the Cisco default out of the box profiling policies? I recommend using your own profiling policies with a higher MCF in an attempt to avoid your issue. I have seen a similar issue when attempting to profile based on a pxe boot dhcp attribute where the attribute are there and then gone. Have you considered potentially changing your authz condition to push policy? Maybe that is the better option. Good luck.

Jason Kunst · ‎06-27-2019

yes please escalate the issue, i have also copied our BYOD and Profiling TMEs on this @howon @kthiruve

Mark Hamilton · ‎06-27-2019

@mike - Yes I believe we are using the default Cisco profiling policies. I'll discuss your suggestions with my colleagues.

@jason - Thank you.

Antonio Macia · ‎11-08-2019

Hi Mark,

We are facing the exact same issue. Devices being re-profiled change their BYOD Registered flag to unknown causing the endpoint being rejected because the authorization policy expects this flag in one of the conditions.

The MAC address also disappears from the RegisteredDevices group, so replacing the above condition for another looking into this group wouldn't make any sense either.

Did you get feedback from Cisco about this?

Thanks.