Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
111
Views
0
Helpful
7
Replies

ISE Issue: Statically Assigned MAC Endpoints Reverting to Default Grou

Essa_Rahemi
Level 1
Level 1

‎07-17-2025 02:40 AM

We are noticing that some of our MAB (MAC Authentication Bypass) devices, primarily printers, are intermittently losing their static endpoint group assignments in Cisco ISE and reverting to the default or "Unknown" profile. We have already verified that purging is not the cause, as the affected endpoints are consistently connected to the network. Given our complex environment, we suspect that the auto-profiling mechanism in ISE might be overwriting the static group assignments. We’ve raised a TAC case, but Cisco is requesting debug logs—which poses a challenge since we are not sure exactly when the issue is occurring. We are looking for best practices or configuration recommendations to prevent static endpoint groups from being overwritten, and to ensure persistent group assignments for MAB devices like printers. Any guidance on preventing dynamic profiling from interfering with static settings, or recommended policy configurations, would be appreciated.

0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎07-17-2025 02:49 AM

Profiling profile condition is not correct I think 

Can I see it 

MHM

0 Helpful

Essa_Rahemi
Level 1
Level 1
In response to MHM Cisco World

‎07-17-2025 03:25 AM

Just assigning the MAC add of the endpoint statically in a group 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Essa_Rahemi

‎07-17-2025 03:27 AM - edited ‎07-17-2025 03:28 AM

can I see policy you add in ISE 

also live log detail when printer wrong use defualt

MHM

0 Helpful

wajidhassan
Level 4
Level 4

‎07-17-2025 03:30 AM

Hi @Essa_Rahemi ,

When static endpoint groups for MAB devices revert to defaults, it’s often due to ISE’s auto-profiling overwriting assignments. Please consider the following:

  • Static Group Locking – Ensure static endpoints have the “Static Group Assignment” option enabled to prevent profiling changes.

  • Profiling Policy – Review profiling policies to exclude or limit profiling for critical MAB devices like printers.

  • Purge Settings – Confirm endpoint purge timers aren’t causing unexpected removals.

  • TAC Debug Logs – Since timing is uncertain, enable logging with filters on endpoint MACs to capture events when changes occur.

Implementing these should help maintain persistent group assignments.

0 Helpful

Essa_Rahemi
Level 1
Level 1
In response to wajidhassan

‎07-17-2025 04:15 AM

i am thinking the same to prefer the static assignment for the MAB devices.

0 Helpful

Rob Ingram
VIP
VIP

‎07-17-2025 03:39 AM

@Essa_Rahemi What version and patch are you running? Did TAC confirm it is not this bug? - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi60778 

Symptom: Endpoint which was assigned to identity group was removed from group post re authentication

Conditions: Endpoint /Endpoints have been assigned to static identity group. Endpoint re authenticates in the network.

You may need to install a patch, this was resolved in ISE 3.3 patch 3 and ISE 3.2 patch 6.

0 Helpful

Essa_Rahemi
Level 1
Level 1
In response to Rob Ingram

‎07-17-2025 04:14 AM

ISE = 3.3 patch 6. i seen that bug but it should not be present anymore in patch6 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card