Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1831
Views
0
Helpful
4
Replies

Context Visibility->Endpoints in ISE 2.1

Go to solution
paul
Level 10
Level 10

‎09-22-2016 09:30 AM

I am running ISE 2.1 patch 1 and have a "Is this functioning as designed?" question.

In the Context Visibility->Endpoints display there is a two columns which seem to be miscoded.  The "Authorization Policy" seems to be showing the "Authentication Policy" result.  I always see "Default" in this column which is true for the authentication policy the endpoint hit but definitely not the authorization policy.  The "Authorization Profile" is showing the authorization rule name not the authorization profile.  There is a difference and a column called authorization profile should show the profile the endpoint hit not the rule name.

Are these as designed?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-22-2016 09:41 AM

It might be a bug as the endpoint I checked has the same info as AllowedProtocolMatchedRule in the endpoint detail. Let me check with our teams.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-22-2016 09:41 AM

It might be a bug as the endpoint I checked has the same info as AllowedProtocolMatchedRule in the endpoint detail. Let me check with our teams.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to hslai

‎09-23-2016 06:19 AM

I found another bug on that Context Visibility screen.  You can clearly see in the RADIUS Live Logs that the MAC address has correctly hit my Dot1x Domain Computer rule:

But Context Visibility shows it hitting the MAB Catch All rule:

I have a Wired MAB Policy Set and Wired Dot1x Policy Set.  So it seems like it is recording the result from the MAB policy set which isn’t correct.  The MAC is correctly authenticated via 802.1x from my Dot1x policy set.

You can also see the issue I described in the first part of my posting.  The “Authorization Policy” is completely wrong and the “Authorization Profile” is showing the rule name not the actual profile name.

Paul Haferman

Preview file
23 KB
Preview file
18 KB
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to paul

‎09-23-2016 08:22 AM

I think the authorization profile not getting updated, as it's not considered as an attribute significant to profiling classification. Thanks for the feedback and I will follow it up with our teams.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-23-2016 09:38 PM

CSCvb46991 VCS mismatch/missing mapping -- authz policy and device id

CSCvb28481 EP data not updating in Context Visibility UI after CoA/re-auth

FYI

0 Helpful
Customers Also Viewed These Support Documents