cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

859
Views
0
Helpful
5
Replies
dongill
Beginner

ISE Restore Purged BYOD Endpoints After Upgrade to v3.0 Patch 2

Hi,

We've upgraded from ISE 2.4 to 3.0 Patch 2 via backup & restore method to a staged v3 deployment, however upon the Restore completion a purge rule was enabled [disabled in the backup of v2.4, enabled out of box in the v3 for an unknown reason].

 

The purge executed during our post checks deleting ~2000 employee registered BYOD devices but was only noticed the next day after some adjustments had been made in the staged v3 deployment.

 

Can anyone advise on a way to restore the employee registered BYOD devices into the ISE database so that they appear in the MyDevices portal, without having to do a full restore procedure?

 

We have tried exporting / importing from the live v2.4 deployment via CSV [with fields mapped], and whilst this does add the endpoint to the DB, it is not visible under the users MyDevices portal page.

 

We are trying to avoid negative user experience [to re-add-MAC address for provisioned device in MyDevices] or have to rebuild/restore v3.0 deployment and start again.

 

Any help would be great!

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
dongill
Beginner

Raised as an enhancement request with Cisco, hopefully such a trivial function could be implemented in a future release.

View solution in original post

5 REPLIES 5
dongill
Beginner

I noticed this post in relation to a similar need, Jason Kunst replied with export / import process for ISE 2.1, but as above it doesn't achieve what we need.

https://community.cisco.com/t5/network-access-control/byod-export-registered-endpoint/m-p/3420159

 

Is there something specific that needs to be done to the endpoint to appear in MyDevices portal for User once re-important?

is there a required field/s in import sheet that needs to be completed?

My BYOD knowledge is a bit rusty - but I thought that an endpoint would have to be in the Registered Endpoint Identity Group. 

Thanks Arne; they can be but our implementation has different endpoint groups based on use-case/context (and purge requirements Haha!!)

 

We now have a case open with TAC, they suspected what we are seeing is an existing bug but it’s not quite the same as said bug.

Provided more data back to TAC and awaiting response from the engineer… will update here when have more info.

 

Important thing to watch out for.. we did not enable the purge rule, it was enabled as part of restore! This particular rule was created to purge employee endpoints not seen/profiled for 3 months plus, but disabled during Covid WFH (for obvious reasons). 

Still back and forth with TAC, but it transpires that what we are trying to do is NOT supported.

TAC believe it relates to this bug / enhancement request:

 

 Get's worse... if you import the endpoints back in to the ISE DB [Context Visibility] with the various fields mapped including "BYOD Registration" = Registered flag, ISE throws and error on import showing "BYOD Registration is invalid for (X) nodes" and the endpoints are not imported.

 

If you repeat this with "BYOD Registration" = Unknown, the Endpoint is updated, but does not appear in the MyDevices Portal. Should a user wish to edit / wipe their device and re-BYOD onboard, they unable to do so as ISE says "Endpoint Already exists / Registered to another user etc" and they must call the Service Desk.

 

Sadly, not getting very far on what seems to be a trivial thing to achieve - TAC just ask us to do a complete restore of the entire system to recover the Endpoints into their original BYOD Registered state.

 

Feeling a little disappointed Cisco - if someone was to accidentally remove a large number of BYOD registered endpoints, we currently have two choices:

 

1 - Restore the entire ISE system [days of work]

2 - Ask all the affected users to re-onboard [incredibly disruptive, requires business comms etc].

 

Neither are ideal - Raised as an enhancement request with Cisco, hopefully such a trivial function could be implemented in a future release.

dongill
Beginner

Raised as an enhancement request with Cisco, hopefully such a trivial function could be implemented in a future release.

View solution in original post

Content for Community-Ad