Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1003
Views
10
Helpful
3
Replies

Static Group Assignment will become unchecked cisco ISE

Go to solution
Micinel
Level 1
Level 1

‎09-27-2022 05:57 AM

Hello guys, i have issue with registered endpoint in Cisco ISE.

I manually marked endpoint Samsung TV for a Static Group Assignment, after few days the endpoint is unchecked. Have you some tips how to fix it?

 

ISE version:

Micinel_0-1664283424791.png

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎09-28-2022 01:50 PM

The only explanation I can see is that perhaps the endpoint was purged by a purge rule (you can look through your Reports to see what endpoint MAC addresses were purged to validate that theory) and then the endpoint was dynamically profiled.

I have never seen ISE uncheck this by itself.

You can also go through the Reports to see all the Admin activities - perhaps another admin had a hand in the game

Was the Samsung TV profile a Cisco Provided profile, or a Administrator Created profile?

View solution in original post

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎09-28-2022 10:39 PM

This was a really common bug in 2.4 when using dhcp ip helpers configured to send to two different nodes. The ISE nodes would receive the DHCP request packets at the same time and disagree, instead of sorting it out, the endpoint would be "reset".  ISE 2.7 is not susceptible to the bug though as it was fixed early on in 2.4. 

I agree with Arne, purge policies are the typical cause. 

View solution in original post

3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎09-28-2022 01:50 PM

The only explanation I can see is that perhaps the endpoint was purged by a purge rule (you can look through your Reports to see what endpoint MAC addresses were purged to validate that theory) and then the endpoint was dynamically profiled.

I have never seen ISE uncheck this by itself.

You can also go through the Reports to see all the Admin activities - perhaps another admin had a hand in the game

Was the Samsung TV profile a Cisco Provided profile, or a Administrator Created profile?

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎09-28-2022 10:39 PM

This was a really common bug in 2.4 when using dhcp ip helpers configured to send to two different nodes. The ISE nodes would receive the DHCP request packets at the same time and disagree, instead of sorting it out, the endpoint would be "reset".  ISE 2.7 is not susceptible to the bug though as it was fixed early on in 2.4. 

I agree with Arne, purge policies are the typical cause. 

Go to solution
Aref Alsouqi
VIP
VIP

‎09-29-2022 01:27 AM

I think the most secure way to ensure the devices are stuck with their group would be to create a custom profile to match those Samsung TVs.

0 Helpful
Customers Also Viewed These Support Documents