cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
811
Views
10
Helpful
4
Replies

Profiling stopped working post upgrade to 2.7 patch 7

dgaikwad
Level 5
Level 5

Hi Team,
Synopsis:
PEAP MSCHAP used for authentication.
Authorization is provided by profiling endpoints based on hostnames.
There are multiple endpoints profiles and based on different VLANs are assigned.
Profiling probes HTTP, AD, DHCP, SNMP Query.

Issue:
Post upgrade from 2.2 to 2.7 patch 7, all are running on SNS3595 appliances (6 node cluster)
Its observed that the profiling is not working and endpoints do not even show up in context visibility.
Thus, users are getting authenticated, but final access based on their endpoint profiles is not getting applied for them.
This seems to be random in nature as well, after some time endpoints will get profiled and final access applied.

Troubleshooting:
Swapped PAN node personas between primary and secondary.
Performed context visibilty syns between the nodes.
Performed reboot of the primary and secondary admin nodes.

Has anyone faced such issue before, where endpoints just fails to profile or not even show up context visibility...
Or what could be troubleshooting steps.
There is already a TAC opened and working on this issue in background.

2 Accepted Solutions

Accepted Solutions

Did you go directly from 2.2 to 2.7?  Did your policies transfer correctly to the new Policy Set structure that was introduced in 2.3?  I usually recommend building a parallel ISE cluster from scratch rather than upgrading from any version older than 2.3.  The automatic policy conversion logic can make quite mess of things.  What was your upgrade path?  Direct?  Did you change the IPs of any of your ISE nodes in that the DHCP relay profiling data is no longer hitting one of the ISE nodes?

Also: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2943876.html

View solution in original post

To add to what @ahollifield said, if using policy conditions such as Wired_MAB or Wireless_MAB, you want to delete them and add them again with the new Policy Engine for them to work correctly.  2.2 to 2.7 is QUITE the jump, but it's definitely worth it!

View solution in original post

4 Replies 4

Did you go directly from 2.2 to 2.7?  Did your policies transfer correctly to the new Policy Set structure that was introduced in 2.3?  I usually recommend building a parallel ISE cluster from scratch rather than upgrading from any version older than 2.3.  The automatic policy conversion logic can make quite mess of things.  What was your upgrade path?  Direct?  Did you change the IPs of any of your ISE nodes in that the DHCP relay profiling data is no longer hitting one of the ISE nodes?

Also: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2943876.html

To add to what @ahollifield said, if using policy conditions such as Wired_MAB or Wireless_MAB, you want to delete them and add them again with the new Policy Engine for them to work correctly.  2.2 to 2.7 is QUITE the jump, but it's definitely worth it!

thomas
Cisco Employee
Cisco Employee

Not going to duplicate the effort of TAC here.

dgaikwad
Level 5
Level 5

The issue has been resolved, with the assistance from Cisco TAC.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: