Static Identity Group Assignment changing in ISE

ahmad82pkn · ‎10-24-2024

Hi All,

We do static endpoint assignment to Identity groups in ISE. But even if endpoint is active the assignment changes to a different identity group after few hours or days.

Any idea how to troubleshoot such situation to narrow down the issue?

Rob Ingram · ‎10-25-2024

@ahmad82pkn what version of ISE and patch level are you running?

It could be a bug - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk94725

ahmad82pkn · ‎10-25-2024

We have ISE 3.1 . Do you know if 3.1 also impacted? Whats best way to check each version for same bug?

thomas · ‎10-25-2024

What is it changing to? Do you use profiling that might change it?

ahmad82pkn · ‎10-25-2024

No. Using script to manually add macs in identity group.
But next day . They are in different group. How can i find reason of this change.
Any logs that provide source that triggered change to move to other group?

Arne Bier · ‎10-27-2024

Check the configuration change logs in ISE to see who dunnit.

Operations / Reports / Audit / Change Configuration Audit

rvargo120 · ‎12-06-2024

It's almost certainly the profiler changing the endpoint identity group. There is at least one bug documenting this behavior. Should be fixed in 3.2 P7.

3.1 is affected by this, although, I'm not sure what triggers the bug. I know of as least one 3.1 deployment in production that just recently saw onset of this behavior after flawless operation for months.

I haven't seen anything in the release notes for 3.1, although, it looks like P10 should be coming out in January of 2025 which might contain a fix. Otherwise, if the business impact is significant enough, you may want to consider moving to 3.2.