Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4793
Views
40
Helpful
5
Replies

Updating endpoint custom attributes - ISE 2.4

Go to solution
itkinr
Level 1
Level 1

‎09-02-2020 05:40 AM

Hi,
I am trying to update endpoint custom attributes with PxGrid, using the com.cisco.endpoint.asset service.
When I issue the CREATE or UPDATE command for endpoints which do not exist in ISE, the endpoints are created and the custom attributes are populated successfully.
However, when I try to issue the same command for endpoints which already exist, the custom attributes are not updated. The other attributes, such as assetIpAddress, do get an update, so I assume the command is executed successfully. However, I am in need of periodically updating custom attributes, so I would really appreciate any ideas.
The ISE instance I'm using is running version 2.4.0.357.
Thanks.
 
1 Accepted Solution

Accepted Solutions

Go to solution
chyps
Level 1
Level 1

‎10-27-2020 04:34 PM - edited ‎10-28-2020 07:17 AM

It is not an issue with the Endpoint Attribute Filter which is basically limited to non-essential attributes and would not apply to custom attributes. To ensure custom attributes are available for profiling, you need to first go to Administration > System > Settings > Profiling and enable the option "Enable Custom Attribute for Profiling Enforcement."

There is another caveat that is not well documented which has the following requirement: In order to update custom attributes for a device using pxGrid Context-In, you must have

  1. a custom ISE endpoint profile policy based on one of the custom attributes sent to ISE, and
  2. the endpoint's profile must match that custom profile policy

These requirements must be met even if you don't want to modify the endpoint's profile policy and just want to leverage pxGrid for learning new attributes unrelated to profile policy assignment.

A couple bugids have resulted from these caveats including:

  • CSCvs28576: Data seen in elastic database is not the same seen as details on Oracle database when using pxGrid
  • CSCvs28577: pxGrid profiler is based upon custom attributes (basically a chicken and egg issue)

I recommend working with your Cisco account team to help prioritize resolution to these issues.

View solution in original post

5 Replies 5

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-09-2020 08:21 AM

Can you provide examples of what is being used?

 

Are you trying the context-in use case? https://developer.cisco.com/docs/pxgrid/#!pxgrid-context-in

 

Make sure you call with macaddress and ipaddress

 

Please find the below expected response content [Working].

{"asset":{"assetMacAddress":"44:39:C4:51:00:37","assetIpAddress":"10:10:10:10","assetCustomAttributes":[{"key":"YourAttribute","value":"1"}]},"opType":"UPDATE"}

 

What they are sending now from customer setup[Non-Working].

{"asset":{"assetMacAddress":"44:39:C4:51:00:37","assetCustomAttributes":[{"key":"YourAttribute","value":"1"}]},"opType":"UPDATE"}

 

Modify the script to add IP address along with the mac address, then ISE will profile the custom attributes

 

0 Helpful

Go to solution
itkinr
Level 1
Level 1
In response to Jason Kunst

‎09-10-2020 08:00 AM

Thank you for your answer, Jason.
What I am trying to accomplish is using the endpoint custom attributes feature to enrich existing endpoints with additional data. I've set up custom attributes as described in the context-in use case documentation you've linked to.
The request I am sending matches the working content example you've provided, including the IP address. If the endpoint doesn't already exist prior to me sending this request, ISE will create a new endpoint and also successfully profile the custom attributes. However, when I execute the same request for an already existing endpoint, the custom attributes aren't being profiled. All else is - for example, if I supply a new assetSerialNumber, it will be updated successfully.
Is there anything else I can try?
Thanks.

0 Helpful

Go to solution
comara
Level 1
Level 1

‎09-15-2020 12:51 PM - edited ‎09-15-2020 01:50 PM

Hi,

 

I'm having the same issue in version 2.6 using the Context-In use-case.  For endpoints that are already active in the system I cannot update any custom attribute but I can update normal attributes (AssetName, AssetHwRevision, etc).  

If I remove the endpoint and add it back in through pxGrid I'm able to set the custom attribute, but once it's set, I'm not able to modify it it via pxGrid.

 

Every time I try to update an existing endpoint's custom attribute this shows up in profiler.log for the MAC/IP pair I'm trying to update:

 

2020-09-15 14:46:13,208 INFO [Grizzly(2)][] cisco.profiler.infrastructure.probemgr.Forwarder -::- Forwarder Mac 3A:A7:75:E4:A6:CD MessageCode null epSource PXGRIDPROBE
2020-09-15 14:46:18,208 INFO [Grizzly(1)][] cisco.profiler.infrastructure.probemgr.Forwarder -::- Forwarder Mac 3A:A7:75:E4:A6:CD MessageCode null epSource PXGRIDPROBE
2020-09-15 14:59:24,718 INFO [Grizzly(1)][] cisco.profiler.infrastructure.probemgr.Forwarder -::- Forwarder Mac 3A:A7:75:E4:A6:CD MessageCode null epSource PXGRIDPROBE
2020-09-15 15:03:15,017 INFO [Grizzly(1)][] cisco.profiler.infrastructure.probemgr.Forwarder -::- Forwarder Mac 3A:A7:75:E4:A6:CD MessageCode null epSource PXGRIDPROBE
2020-09-15 15:10:05,352 INFO [Grizzly(1)][] cisco.profiler.infrastructure.probemgr.Forwarder -::- Forwarder Mac 3A:A7:75:E4:A6:CD MessageCode null epSource PXGRIDPROBE
2020-09-15 15:10:10,345 INFO [Grizzly(2)][] cisco.profiler.infrastructure.probemgr.Forwarder -::- Forwarder Mac 3A:A7:75:E4:A6:CD MessageCode null epSource PXGRIDPROBE

 

Is this expected behavior, permissions issue, something else?

 

Thank you!

Go to solution
poongarg
Cisco Employee
Cisco Employee

‎09-20-2020 07:49 AM

Check if Endpoint attribute Filter setting is enabled under Profiling settings.

ISE gets many attributes for an endpoint but filters them to consume the selected one's.

Go to solution
chyps
Level 1
Level 1

‎10-27-2020 04:34 PM - edited ‎10-28-2020 07:17 AM

It is not an issue with the Endpoint Attribute Filter which is basically limited to non-essential attributes and would not apply to custom attributes. To ensure custom attributes are available for profiling, you need to first go to Administration > System > Settings > Profiling and enable the option "Enable Custom Attribute for Profiling Enforcement."

There is another caveat that is not well documented which has the following requirement: In order to update custom attributes for a device using pxGrid Context-In, you must have

  1. a custom ISE endpoint profile policy based on one of the custom attributes sent to ISE, and
  2. the endpoint's profile must match that custom profile policy

These requirements must be met even if you don't want to modify the endpoint's profile policy and just want to leverage pxGrid for learning new attributes unrelated to profile policy assignment.

A couple bugids have resulted from these caveats including:

  • CSCvs28576: Data seen in elastic database is not the same seen as details on Oracle database when using pxGrid
  • CSCvs28577: pxGrid profiler is based upon custom attributes (basically a chicken and egg issue)

I recommend working with your Cisco account team to help prioritize resolution to these issues.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents