Symptom
9800-40 running 17.6.3 with ISE 3.1 patch 3. And a specific AV Pair that the controller sends to ISE is being sent incomplete.
We have an Access-Accept coming from ISE to the controller with the following AV pair: VSA: t=Cisco-AVPair(1) l=32 val=cts:security-group-tag=0011-01
And after that, we have an Accounting-Request coming from the controller to ISE with the same AV Pair but incomplete value: VSA: t=Cisco-AVPair(1) l=29 val=cts:security-group-tag=0011
in the Accounting-Request there is missing "-01" from the string, causing ISE not correctly setting the rules to the end device since it is not getting match as it's supposed to.
Further Problem Description
9800-40 running 17.6.3 with ISE 3.1 patch 3. And a specific AV Pair that the controller sends to ISE is being sent incomplete.
We have an Access-Accept coming from ISE to the controller with the following AV pair: VSA: t=Cisco-AVPair(1) l=32 val=cts:security-group-tag=0011-01
And after that, we have an Accounting-Request coming from the controller to ISE with the same AV Pair but incomplete value: VSA: t=Cisco-AVPair(1) l=29 val=cts:security-group-tag=0011
in the Accounting-Request there is missing "-01" from the string, causing ISE not correctly setting the rules to the end device since it is not getting match as it's supposed to.
