We have recently upgraded our ISE infrastructure, we did this by cloning the servers. These clones had their deployment broken, IP changed, name changed, upgraded and then joined together as a distributed deployment (2 Admin/Monitoring, 2 Policy Nodes). Our 3850 access switches then had the target group for authentication changed to the upgraded deployment.
We are seeing that these switches are still downloading the DACL defined in the authorization profile from the old ISE servers. Has anyone seen this before or have any ideas?