cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
357
Views
4
Helpful
6
Replies

MAC addresses being removed from identity group

jacksonben
Level 1
Level 1

ISE 3.2 Patch 6

We are having a recurring issue that is really becoming a problem now with some MAC addresses dropping their identity group after being placed into one.

Example:

1) Add MAC address to Identity group through Context Visibility -> Endpoints -> Select MAC address -> Edit -> tick Static Group Assignment and place into group

Context visibility Endpoints now shows the MAC address in the new group

2) Re-authenticate via Operations -> Live Sessions -> CoA Actions -> Session Reauthentication

3) Device re-authenticates correctly and hits the policy rule appropriate to that Identity group

4) Go back to Context Visibility -> Endpoints and refresh

MAC address now showing as "Unknown" even after successful authentication

5) Trigger re-authentication through CoA again and the device now hits the default policy rule

So many times we have just thought we made a mistake and forgot to import an address, so we add it this way, watch it successfully authenticate, and go away thinking we have sorted it only for it to fail the next re-authentication when the timer (12 hours) runs out. Mostly we think we just got something wrong but after much testing have proven it really is ISE losing the ID group assignment.

This problem does not occur on all MAC addresses, just some, but there is no rhyme or reason to which ones do this. Although I have noticed it seems to happen more on switchports with multiple MAC addresses on them such a ports with IP phones or ones where there is a 3rd party unmanaged switch on the other end like Netgear.

 

Patch 6 had a resolved caveat that we thought might fix this: 

CSCwi60778

Endpoint Loses Static Identity Group Assignment after Reauthentication.

But sadly we are still hitting this problem.

Has anyone else experienced this? Is there some setting somewhere to prevent static identity group assignments from being overwritten at all?

We performed a reset of the Context Visibility database as well to no avail:

So before we raise a TAC case I'm hoping someone here might be able to assist and point out where we might be going wrong.

Thanks.

 

6 Replies 6

MHM

Thanks MHM we have tried that but for this particular example we get a "Failed to update endpoint - concurrent error".

However even if that worked it is impractical to use the identity groups section to import hundreds of devices at once.

jacksonben
Level 1
Level 1

Video showing the problem example above attached.

essarahemi
Level 1
Level 1

Yes i am also having the same issue. 

jacksonben
Level 1
Level 1

We currently have this being investigated by TAC.

Can you please update us TAC solutions. 

So thanks 

MHM