Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2210
Views
5
Helpful
4
Replies

ISE 2.3 patch 2 - Policy set rule does not match rule with custom logical profile.

Rodrigo Gurriti
Level 3
Level 3

‎05-08-2018 06:21 AM - edited ‎02-21-2020 10:55 AM

Hello,

 

Just found something odd. 

 

Custom profile for a few printers.

I then added them to a logical profile.

Created a policy for them.

 

Tested the printers, they get the profiled.

They show up on the logical profile, I can see all MAC addresses. 

They match the policy. Life is great!

 

A couple days later they don't match anymore. The policy because ISE doesn't see match the logical profile. 

Other policies using logical profile are OK

I re-did all the profile policies, logical profile and policy set. It works, but if there is a re-auth they will not match anymore.

I also noticed that the ISE cannot get information from the logical profile. 

Untitled.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

TAC does not know what is going on, but I work around by creating a policy matching on the profiled device instead of the logical profile and it works. 

 

PS. I have other custom logical profiles and they work just fine. 

 

Has anyone seen this before? 

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Mohamed Abd Elnaser Mohamed Mohamed Ali
Level 1
Level 1

‎05-08-2018 12:31 PM - edited ‎05-08-2018 12:31 PM

Hi  Rodrigo

I have the same ISE version with the same patch level (Cisco ISE 2.3 Patch2) but I don't use logical profiles I normally use Profiling Policies with Policy Enabled option and use them in Conditions under Authorization rules.

I use Profiling Policies mostly for dynamic assignment (Profiling) and Static assignment via Endpoint group it always work perfectly fine. (Printers, AVAYA IP phones, Cisco AP, CCTV Camera,...etc)

Can you I just ask what the requirement that mandate you to use Logical profile ? 

 

Here is a sample of an Avaya IP Phone normal reauthentication repeated logs

5.png

0 Helpful

Rodrigo Gurriti
Level 3
Level 3
In response to Mohamed Abd Elnaser Mohamed Mohamed Ali

‎05-08-2018 12:38 PM

I have to group several devices that will use MAB, and give a single authorization policy.

 

TAC got it fixed, we are monitoring. We had to install patch 3 because of another bug and after the re-start, logical profiles on ISE started to work. 

 

We were not able to troubleshoot the problem very well because there was another bug impacting the log creation and without a log, we were not able to troubleshoot. 

0 Helpful

Mohamed Abd Elnaser Mohamed Mohamed Ali
Level 1
Level 1
In response to Rodrigo Gurriti

‎05-08-2018 01:16 PM

Hi Rodrigo

Great to hear you issue got fixed. BTW, i'm upgrading this week to patch 3 as well as i have hit 2 bugs already  one of them is the one you mentioned above about log creation (CSCvg30444)

Anyway it was TAC recommendation in my case to apply patch 3 

Rodrigo Gurriti
Level 3
Level 3
In response to Mohamed Abd Elnaser Mohamed Mohamed Ali

‎05-08-2018 02:03 PM

Hi Mohamed,
Yes, that was one of the bugs we hit here as well, glad it is fixed!
0 Helpful
Customers Also Viewed These Support Documents