ISE 3.2 Patch 6

We are having a recurring issue that is really becoming a problem now with some MAC addresses dropping their identity group after being placed into one.

Example:

1) Add MAC address to Identity group through Context Visibility -> Endpoints -> Select MAC address -> Edit -> tick Static Group Assignment and place into group

Context visibility Endpoints now shows the MAC address in the new group

2) Re-authenticate via Operations -> Live Sessions -> CoA Actions -> Session Reauthentication

3) Device re-authenticates correctly and hits the policy rule appropriate to that Identity group

4) Go back to Context Visibility -> Endpoints and refresh

MAC address now showing as "Unknown" even after successful authentication

5) Trigger re-authentication through CoA again and the device now hits the default policy rule

So many times we have just thought we made a mistake and forgot to import an address, so we add it this way, watch it successfully authenticate, and go away thinking we have sorted it only for it to fail the next re-authentication when the timer (12 hours) runs out. Mostly we think we just got something wrong but after much testing have proven it really is ISE losing the ID group assignment.

This problem does not occur on all MAC addresses, just some, but there is no rhyme or reason to which ones do this. Although I have noticed it seems to happen more on switchports with multiple MAC addresses on them such a ports with IP phones or ones where there is a 3rd party unmanaged switch on the other end like Netgear.

Patch 6 had a resolved caveat that we thought might fix this: 

But sadly we are still hitting this problem.

Has anyone else experienced this? Is there some setting somewhere to prevent static identity group assignments from being overwritten at all?

We performed a reset of the Context Visibility database as well to no avail:

So before we raise a TAC case I'm hoping someone here might be able to assist and point out where we might be going wrong.

Thanks.