08-09-2022 11:13 PM
Hi Team,
Synopsis:
PEAP MSCHAP used for authentication.
Authorization is provided by profiling endpoints based on hostnames.
There are multiple endpoints profiles and based on different VLANs are assigned.
Profiling probes HTTP, AD, DHCP, SNMP Query.
Issue:
Post upgrade from 2.2 to 2.7 patch 7, all are running on SNS3595 appliances (6 node cluster)
Its observed that the profiling is not working and endpoints do not even show up in context visibility.
Thus, users are getting authenticated, but final access based on their endpoint profiles is not getting applied for them.
This seems to be random in nature as well, after some time endpoints will get profiled and final access applied.
Troubleshooting:
Swapped PAN node personas between primary and secondary.
Performed context visibilty syns between the nodes.
Performed reboot of the primary and secondary admin nodes.
Has anyone faced such issue before, where endpoints just fails to profile or not even show up context visibility...
Or what could be troubleshooting steps.
There is already a TAC opened and working on this issue in background.
Solved! Go to Solution.
08-10-2022 05:50 AM
Did you go directly from 2.2 to 2.7? Did your policies transfer correctly to the new Policy Set structure that was introduced in 2.3? I usually recommend building a parallel ISE cluster from scratch rather than upgrading from any version older than 2.3. The automatic policy conversion logic can make quite mess of things. What was your upgrade path? Direct? Did you change the IPs of any of your ISE nodes in that the DHCP relay profiling data is no longer hitting one of the ISE nodes?
08-10-2022 08:54 AM
To add to what @ahollifield said, if using policy conditions such as Wired_MAB or Wireless_MAB, you want to delete them and add them again with the new Policy Engine for them to work correctly. 2.2 to 2.7 is QUITE the jump, but it's definitely worth it!
08-10-2022 05:50 AM
Did you go directly from 2.2 to 2.7? Did your policies transfer correctly to the new Policy Set structure that was introduced in 2.3? I usually recommend building a parallel ISE cluster from scratch rather than upgrading from any version older than 2.3. The automatic policy conversion logic can make quite mess of things. What was your upgrade path? Direct? Did you change the IPs of any of your ISE nodes in that the DHCP relay profiling data is no longer hitting one of the ISE nodes?
08-10-2022 08:54 AM
To add to what @ahollifield said, if using policy conditions such as Wired_MAB or Wireless_MAB, you want to delete them and add them again with the new Policy Engine for them to work correctly. 2.2 to 2.7 is QUITE the jump, but it's definitely worth it!
08-15-2022 12:52 PM
Not going to duplicate the effort of TAC here.
08-17-2022 02:31 AM - edited 08-17-2022 02:33 AM
The issue has been resolved, with the assistance from Cisco TAC.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: