Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1383
Views
0
Helpful
5
Replies

Cisco ISE 2.3 policy not adding objects to correct group

Go to solution
gregmoyse3
Level 1
Level 1

‎07-15-2019 07:59 AM - edited ‎02-21-2020 11:07 AM

Hi,

I am using a BYOD-type policy where our employees login to their personal devices using their AD credentials linked to a CWA page.

I am having problems where, when a new device is logged in, it is not being added to the correct Endpoint Identity Group and is denied network access.

If I manually add the MAC address of the endpoint to the group, it works.

Oddly, the devices that are authenticated end up in an odd group which I cannot find, called S1-9{long number}

Any ideas?

Cheers

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-15-2019 10:49 AM

Make sure you're on latest patch as there are bugs around identity groups and licensing if this doesn't work work through TAC as there are defects out there like this

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to gregmoyse3

‎07-18-2019 01:47 PM

Please work through the TAC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-15-2019 10:49 AM

Make sure you're on latest patch as there are bugs around identity groups and licensing if this doesn't work work through TAC as there are defects out there like this
0 Helpful

Go to solution
gregmoyse3
Level 1
Level 1
In response to Jason Kunst

‎07-16-2019 12:52 AM

Thanks - I will update from patch 4 to patch 6 and let you know how I get on.

Greg
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to gregmoyse3

‎07-16-2019 05:19 AM

Good start. Also consider moving to 2.4 as our latest long term recommended release
0 Helpful

Go to solution
gregmoyse3
Level 1
Level 1
In response to Jason Kunst

‎07-18-2019 05:41 AM

Hi, I've updated to patch 6 but still no joy. I will look into upgrading to version 2.4.
Odd how it was working, then stopped. The Guest Portal is configured to use the correct guest type and Endpoint Identity group, but still sends devices to a random 'group' -
S-1-5-21-2038665849-2013265171-455191445-20904####S-1-5-21-2038665849-2013265171-455191445-513

I also noticed that after patching to patch 6, I lost the ability to log into ISE using my domain details and can only log in as local admin.
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to gregmoyse3

‎07-18-2019 01:47 PM

Please work through the TAC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents