09-10-2024 06:20 AM - edited 09-10-2024 06:24 AM
ISE 3.2 Patch 6
We are having a recurring issue that is really becoming a problem now with some MAC addresses dropping their identity group after being placed into one.
Example:
1) Add MAC address to Identity group through Context Visibility -> Endpoints -> Select MAC address -> Edit -> tick Static Group Assignment and place into group
Context visibility Endpoints now shows the MAC address in the new group
2) Re-authenticate via Operations -> Live Sessions -> CoA Actions -> Session Reauthentication
3) Device re-authenticates correctly and hits the policy rule appropriate to that Identity group
4) Go back to Context Visibility -> Endpoints and refresh
MAC address now showing as "Unknown" even after successful authentication
5) Trigger re-authentication through CoA again and the device now hits the default policy rule
So many times we have just thought we made a mistake and forgot to import an address, so we add it this way, watch it successfully authenticate, and go away thinking we have sorted it only for it to fail the next re-authentication when the timer (12 hours) runs out. Mostly we think we just got something wrong but after much testing have proven it really is ISE losing the ID group assignment.
This problem does not occur on all MAC addresses, just some, but there is no rhyme or reason to which ones do this. Although I have noticed it seems to happen more on switchports with multiple MAC addresses on them such a ports with IP phones or ones where there is a 3rd party unmanaged switch on the other end like Netgear.
Patch 6 had a resolved caveat that we thought might fix this:
Endpoint Loses Static Identity Group Assignment after Reauthentication. |
But sadly we are still hitting this problem.
Has anyone else experienced this? Is there some setting somewhere to prevent static identity group assignments from being overwritten at all?
We performed a reset of the Context Visibility database as well to no avail:
So before we raise a TAC case I'm hoping someone here might be able to assist and point out where we might be going wrong.
Thanks.
09-10-2024 07:27 AM - edited 09-14-2024 09:19 AM
MHM
09-10-2024 07:43 AM
Thanks MHM we have tried that but for this particular example we get a "Failed to update endpoint - concurrent error".
However even if that worked it is impractical to use the identity groups section to import hundreds of devices at once.
09-10-2024 07:37 AM
10-07-2024 02:03 AM
Yes i am also having the same issue.
10-07-2024 06:01 AM
We currently have this being investigated by TAC.
10-07-2024 06:13 AM
Can you please update us TAC solutions.
So thanks
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide