Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3486
Views
0
Helpful
2
Replies

Static group assignment and Identity group assignment changing by themselves

KeelynHenning0941
Level 1
Level 1

‎07-16-2020 06:22 AM

Under a certain block of end points with ISE, we currently have Static Group Assignment checked and a specific Identity group assignment set for a large block of devices withing our ISE environment. High School Chromebooks that have not had much activity on the network recently. Randomly the Static Group Assignment will become unchecked and the Identity group assignment with change to "workstation".

 

We cannot find the cause of why the end points are changing themselves and looking for input from the community.

1 person had this problem
0 Helpful
2 Replies 2

Damien Miller
VIP Alumni
VIP Alumni

‎07-16-2020 10:56 AM

The most common reason this happens is that the endpoints are being purged by an endpoint purge rule. By default they typically won't be, but if someone set up a rule based on inactivity days, then there is no filter for static identity group = true. Check on those here, https://<ise admin ip>/admin/#administration/administration_identitymanagement/administration_identitymanagement_generalsettings/endpointPurge

In the past, there was also a profiling bug with DHCP helpers being sent at the same time to two different PSNs. That would cause the endpoint to be reset and lose its static mapping, however that was fixed at least a year and a half ago or more though.
0 Helpful

KeelynHenning0941
Level 1
Level 1
In response to Damien Miller

‎07-17-2020 07:20 AM - edited ‎07-17-2020 07:22 AM

Thank you for your reply!

I already looked at this before but took another look for good measure. There were two Purge rules created, one of which could have possibility contained these devices at one time but when we checked there were no EndPoints listed under the Identity Group associated with the condition. To elevate this being the issue, we deleted both the Purge rule and the Identity Group associated as they were not needed anyway.

We ran another test that I believe is part of the problem but I still need to continue troubleshoot to see if it is related. This issue has been occurring with Chromebooks for a school district. We took a random Chromebook, looked over it's EndPoint settings, it was currently configured with the correct Policy and Identity Group and we added it to the guest network. After the device was on the Guest network, the static assignment went away, the Policy assignment changed, the Static Group assignment was still checked, and the Identity Group Assignment had changed.

We checked the EndPoint Identity Group EndPoints for the group this was changed to and we could see the EndPoint Profile listed and they were all marked Static Group Assignment = false. 

I think this issue lays somewhere in the Profiler Policy so that is where I am with troubleshooting now.

0 Helpful
Customers Also Viewed These Support Documents