Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
258
Views
1
Helpful
1
Replies

ISE 3.3 patch 4 authorisation matching

Stuart Patton
Level 1
Level 1

‎06-09-2025 06:36 AM

Hi,

Having some issues with ISE 3.3 patch 4 regarding MAB authorisation rules.  We are using a third party product that ingests endpoints from ISE as well as from strategic span ports.  By examining the traffic flows from the endpoint, it can then write custom attributes back to ISE via PxG that give more contextual information about the vendor, model, business function etc.

The devices in ISE would previously be authorised by profiling rules, however we're seeing mixed behaviour with new auth rules that are higher than our legacy rules which were based on profiling.  For example, we have some devices matching the custom attribute (the auth rule uses EQUALS as the operator) - some device work and some don't.  We can't see anything obviously wrong with the custom attribute for devices that are not matching the rule - it is there and I can't see any whitespace.  We have also found devices that have a static policy assigned, if we strip the assignment, the device immediately matches the new rule (we know this because we set different SGTs and can see it change on the switch).

We seem to have a bit more success if we create a profiling rule that matches the same custom attribute (also using EQUALS as the operator) and a CF value that is higher than the legacy rule, which then matches a new authorisation rule based on the new profiling rule.  This is despite it using the same value and the same operator as the authz rule that does not work...

Is there some undocumented behaviour regarding authz rule, eg static assignments taking priority?  I assume there is no such thing as multi-match in ISE 3.3?  I found another post saying this was not a thing in ISE 2.4 and above.

Is there a way to debug endpoint authentication/authorisation that shows each of the steps that are taking place internally within ISE that we can look at to try to understand what is or isn't happening?

 

Thanks,

Stuart

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎06-09-2025 02:54 PM

That know that frustration - I don't always get the warm fuzzy feeling that profiling is working the way it should - and the logic it uses to arrive at a final conclusion is shrouded in debugs. I had a TAC case recently and the engineer enabled PRRT and NSF - I think the NSF is the main one to look for.

Here is also a handy cheat sheet regarding which debugs to enable for certain scenarios.

 

Customers Also Viewed These Support Documents