Guest

Preview Tool

Cisco Bug: CSCvt31234 - Multiple MDM Dictionaries on ISE

Last Modified

Jul 20, 2020

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

2.2(0.470) 2.3(0.298) 2.4(0.357) 2.6(0.156)

Description (partial)

Symptom:
Because we only have one MDM dictionary, it is very difficult to tell ISE which MDM server it needs to query. ISE will only make one API call, and that will be based on what authorization rule it hits. If ISE does not have an assigned MDM server for the endpoint yet, then it will assign it the first MDM server that we are checking for in the rule. For example, if a user comes into the flow for the first time, ISE will not have an MDM server assigned to it. So it will go through the rules until we match one. As soon as we evaluate if MDMServerName EQUALS MDM1, ISE will assign MDM1 as the MDM server for that endpoint. The MDM server is assigned when ISE is checking if the endpoint is a part of it.

The problem here is that we are not able to check multiple MDM servers since ISE will assign the first MDM server it checks as the endpoints MDM server for the rest of the endpoints life in ISE, unless we delete the endpoint from context visibility and have it go through the flow again.

Conditions:
All ISE 2.x versions.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.