Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
0
Helpful
2
Replies

ISE Identity Group / Profiling Issues

neteng1
Level 1
Level 1

‎02-10-2025 07:02 AM

We are using ISE 3.4 P4 on Essentials license. We have a CWA Self Registered portal that is supposed to assign static identity group on registration. No profiling is involved.

We are observing problems where endpoints are not being assigned to the static identity group if the profile is unknown. This also prevents end users from removing endpoints they have registered via MyDevices. A generic error is reported: "Failed to unregister endpoint".

Cisco TAC has advised that we need to have a valid endpoint profile for all devices in order to remediate this problem. Has anyone else experienced this issue or have advice?

0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎02-10-2025 12:57 PM

Hi 

As you say, profiling should have no bearing on the Guest Portal operation, and it doesn't. In my case, ISE 3.3p4 running only on Essentials (Advantage/Premier set to Disabled) I have no issues at all.

Guest Portal Authorization relies 100% on Endpoint Identity Groups.  The Self-Registered Guest Portal has a drop-down to select which Endpoint Identity Group you want to use for guests that have their accounts created using this method. And that same Endpoint Identity Group is used in the Policy Set Authorization conditions - if the MAC address in the MAB requests is contained in that Group, then return the Authorization Profile, else, continue processing the Rules (usually the next rule is re-direction to the guest portal)

To be honest, in my guest portal most of the endpoints are 'Unknown' because most modern devices will create private/random/rotating MAC addresses. Hence why profiles are completely useless to us. If you had too much money and enabled Advantage on your Guest PSNs, then you would learn nothing from the MAC address and DHCP snooping, unless you enabled http probes on ISE and WLC . But what's the point right?  We don't care if the device is an iPhone or MACOS.

I hope you have a TAC case for this.

Is your ISE deployment used for Guest only?

0 Helpful

neteng1
Level 1
Level 1
In response to Arne Bier

‎02-11-2025 12:45 PM - edited ‎02-11-2025 12:51 PM

We have a Hotspot portal for guests and Self Registered for authenticated users to register IoT devices. We do have a TAC case open. I've found in the past that Endpoint Profiling will change an endpoint's identity group so we've gone through efforts to prevent that from happening. An example of what's going on today is if I register a generic mac through the portal (12:12:12:12:12:12), it cannot subsequently be deleted from MyDevices portal. The common factor we are seeing is that this is happening to devices that belong to the Unknown Endpoint Profile.

0 Helpful
Customers Also Viewed These Support Documents