cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
355
Views
0
Helpful
5
Replies
Beginner

Cisco ISE 2.3 policy not adding objects to correct group

Hi,

I am using a BYOD-type policy where our employees login to their personal devices using their AD credentials linked to a CWA page.

I am having problems where, when a new device is logged in, it is not being added to the correct Endpoint Identity Group and is denied network access.

If I manually add the MAC address of the endpoint to the group, it works.

Oddly, the devices that are authenticated end up in an odd group which I cannot find, called S1-9{long number}

Any ideas?

Cheers

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Cisco ISE 2.3 policy not adding objects to correct group

Make sure you're on latest patch as there are bugs around identity groups and licensing if this doesn't work work through TAC as there are defects out there like this
Cisco Employee

Re: Cisco ISE 2.3 policy not adding objects to correct group

Please work through the TAC
5 REPLIES 5
Cisco Employee

Re: Cisco ISE 2.3 policy not adding objects to correct group

Make sure you're on latest patch as there are bugs around identity groups and licensing if this doesn't work work through TAC as there are defects out there like this
Beginner

Re: Cisco ISE 2.3 policy not adding objects to correct group

Thanks - I will update from patch 4 to patch 6 and let you know how I get on.

Greg
Highlighted
Cisco Employee

Re: Cisco ISE 2.3 policy not adding objects to correct group

Good start. Also consider moving to 2.4 as our latest long term recommended release
Beginner

Re: Cisco ISE 2.3 policy not adding objects to correct group

Hi, I've updated to patch 6 but still no joy. I will look into upgrading to version 2.4.
Odd how it was working, then stopped. The Guest Portal is configured to use the correct guest type and Endpoint Identity group, but still sends devices to a random 'group' -
S-1-5-21-2038665849-2013265171-455191445-20904####S-1-5-21-2038665849-2013265171-455191445-513

I also noticed that after patching to patch 6, I lost the ability to log into ISE using my domain details and can only log in as local admin.
Cisco Employee

Re: Cisco ISE 2.3 policy not adding objects to correct group

Please work through the TAC