Solved: Re: Not able to find self created Endpoint Identity group

dgaikwad · ‎02-05-2020

Hi Experts,
I am configuring a posture policy to affect only a set of laptops, but while configuring the posture policy I do not see the endpoint group that I created.
ISE is only listing the following, Blacklist, GuestEndpoints, RegisteredDevices and Unknown.
This endpoint group is created as result of the profiling policy that I have configured.

Is this something as designed or I need to follow some other path to have it listed here?

Greg Gibbs · ‎02-05-2020

Maybe there's a difference in the version of ISE you're using. In ISE 2.6p3 I created two different EIGs; one automatically from a Profiler Policy called TEST_POSTURE_PROFILE_GROUP, and another manually called TEST_POSTURE_MANUAL_GROUP.

When I select an EIG from the Posture Policy, only the TEST_POSTURE_MANUAL_GROUP is available.

View solution in original post

kostasthedelegate · ‎02-05-2020

Hello,

Check this one:
Go to Policy->Profiling->Profiling Policies->Choose your profile
Once inside Check the radius button "Create Identity Group for Policy"

Then you should be able to see the group in Policy sets.

Regards,
Konstantinos

dgaikwad · ‎02-05-2020

Yes, the endpoint group is created in this way itself, but I am not able to call it in the identity group matching, as seen below here:

So, how do we get it here, as there are only the default groups that are listed here....

Greg Gibbs · ‎02-05-2020

There is a slight difference between Endpoint Identity Groups automatically created by a Profiling Policy and those manually created from the Administration > Identity Management > Groups > Endpoint Identity Groups page.

The ability to use the Endpoint ID Group as a matching condition in Posture Policy is a fairly new addition (ISE 2.3+) and at this time only manually created groups can be used.

Cheers,

Greg

dgaikwad · ‎02-05-2020

I am using the suggested way to call the endpoint group that I created or the one that was created automatically from the profiling policy that I created.
Still I do not see those listed when I selected the Identity Groups under Posture policy...

Greg Gibbs · ‎02-05-2020

Maybe there's a difference in the version of ISE you're using. In ISE 2.6p3 I created two different EIGs; one automatically from a Profiler Policy called TEST_POSTURE_PROFILE_GROUP, and another manually called TEST_POSTURE_MANUAL_GROUP.

When I select an EIG from the Posture Policy, only the TEST_POSTURE_MANUAL_GROUP is available.

Greg Gibbs · ‎02-05-2020

There appears to be an additional caveat/limitation here. I can create a manual group nested under a Parent group like RegisteredDevices and still reference that in the Posture Policy.

If I create a manual group nested under the Profiled parent group, however, I cannot reference it in the Posture Policy. I suspect that's because the Profiled parent group is used mainly for groups automatically created by the Profiling Policies and is not common practice to update it manually.

dgaikwad · ‎02-05-2020

I am using ISE 2.4.0.357.
Yes, that seems the case, it takes the endpoint group that are nested under Registered groups but not from the Profiled ones.
So, I would need to use Other Conditions and call the profiled group to apply the posture policy.

I think there would be other admins out there that would like to call the profiled groups directly here rather than calling them in the other conditions.
It would be really great if this feature is added in ISE's future updates.

Greg Gibbs · ‎02-06-2020

Please reach out to our product team for future enhancement requests, externally for cisco customers/partners at http://cs.co/ise-feedback for cisco employees internally at http://cs.co/ise-pm