Cisco Bug: CSCvt31234 - Multiple MDM Dictionaries on ISE
Jul 20, 2020
- Cisco Identity Services Engine
Known Affected Releases
2.2(0.470) 2.3(0.298) 2.4(0.357) 2.6(0.156)
Symptom: Because we only have one MDM dictionary, it is very difficult to tell ISE which MDM server it needs to query. ISE will only make one API call, and that will be based on what authorization rule it hits. If ISE does not have an assigned MDM server for the endpoint yet, then it will assign it the first MDM server that we are checking for in the rule. For example, if a user comes into the flow for the first time, ISE will not have an MDM server assigned to it. So it will go through the rules until we match one. As soon as we evaluate if MDMServerName EQUALS MDM1, ISE will assign MDM1 as the MDM server for that endpoint. The MDM server is assigned when ISE is checking if the endpoint is a part of it. The problem here is that we are not able to check multiple MDM servers since ISE will assign the first MDM server it checks as the endpoints MDM server for the rest of the endpoints life in ISE, unless we delete the endpoint from context visibility and have it go through the flow again. Conditions: All ISE 2.x versions.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases