INC-2026-03-16: Strongline Gateway VLAN Assignment

Incident Summary

INC Number

INC-2026-03-16-001

Severity

Medium (user-reported, 8 devices)

Status

Open

Reported

2026-03-16

Reporter

Arin Khachikyan (Network Engineer)

Assigned

David Rukiza, Ntashamaje (Security Analyst)

Related TAC

TAC-2026-03-chla-8021x-auth-failures

8 Strongline gateway devices are assigned to an incorrect ISE identity group, resulting in incorrect VLAN assignment. These devices should be in a designated identity group that maps to the correct network VLAN.

Background

Previous remediation used Cisco ISE CSV import to move devices to the correct identity group
8 devices remain in the wrong identity group
Impact: Devices receiving incorrect network access (wrong VLAN)

Stakeholders

Name	Role	Interest
Arin Khachikyan	Network Engineer	Opened incident, requires resolution
David Rukiza	verify title	Assigned for remediation
Ntashamaje	Security Analyst (InfoSec team)	Assigned for remediation

Name

Role

Interest

Arin Khachikyan

Network Engineer

Opened incident, requires resolution

David Rukiza

verify title

Assigned for remediation

Ntashamaje

Security Analyst (InfoSec team)

Assigned for remediation

Investigation

Identify Affected Devices

# List all Strongline devices and their current identity groups
netapi ise -f json endpoints | jq -r '.[] | select(.description // "" | test("strongline"; "i")) | [.mac, .identityGroup, .description] | @tsv' | column -t

# Or search by endpoint profile if assigned
netapi ise -f json endpoints | jq -r '.[] | select(.profileId // "" | test("strongline"; "i")) | [.mac, .identityGroup] | @tsv'

Verify Expected Identity Group

# List all identity groups to find the correct one
netapi ise -f json identity-groups | jq -r '.[] | [.name, .id] | @tsv' | column -t

# Search for Strongline-related group
netapi ise -f json identity-groups | jq '.[] | select(.name | test("strongline"; "i"))'

Check Current VLAN Authorization Rules

# View authorization policies (may need GUI for full context)
netapi ise policy-sets

# Check if identity group is referenced in authorization rules
# GUI: Policy > Policy Sets > [Policy Set] > Authorization Policy

Remediation Options

Option A: CSV Import (Previous Method)

# Export current endpoint data
netapi ise -f json endpoints > /tmp/endpoints-$(date +%Y%m%d).json

# Create CSV with correct format:
# MACAddress,IdentityGroup
# AA:BB:CC:DD:EE:FF,Strongline_Gateways

# Import via GUI:
# Administration > Identity Management > Identities > Endpoints > Import

Option B: netapi Bulk Update (Preferred)

# Get the identity group ID for the target group
TARGET_GROUP_ID=$(netapi ise -f json identity-groups | jq -r '.[] | select(.name == "STRONGLINE_GROUP_NAME") | .id')

# Update each endpoint (requires endpoint ID)
# For each MAC address:
ENDPOINT_ID=$(netapi ise -f json endpoints | jq -r '.[] | select(.mac == "AA:BB:CC:DD:EE:FF") | .id')

# Update endpoint's identity group
netapi ise api-call openapi PUT "/api/v1/endpoint/$ENDPOINT_ID" --data "{\"groupId\": \"$TARGET_GROUP_ID\"}"

Option C: ISE ERS API Direct

# List endpoints to find the 8 affected devices
curl -s -k -u admin:$ISE_PASSWORD \
  -H "Accept: application/json" \
  "https://ppan.ise.chla.org:9060/ers/config/endpoint?filter=mac.CONTAINS.STRONGLINE_MAC_PREFIX" | jq

# Update endpoint identity group
curl -s -k -u admin:$ISE_PASSWORD \
  -H "Content-Type: application/json" \
  -X PUT "https://ppan.ise.chla.org:9060/ers/config/endpoint/{id}" \
  -d '{
    "ERSEndPoint": {
      "groupId": "TARGET_GROUP_ID",
      "staticGroupAssignment": true
    }
  }'

Verification

Post-Remediation Checks

# Verify all 8 devices now in correct group
netapi ise -f json endpoints | jq -r '.[] | select(.description // "" | test("strongline"; "i")) | [.mac, .identityGroup] | @tsv' | column -t

# Verify count
netapi ise -f json endpoints | jq '[.[] | select(.identityGroup == "Strongline_Gateways")] | length'

# Check session logs for VLAN assignment
netapi ise -f json mnt sessions | jq '.[] | select(.calling_station_id | test("STRONGLINE_MAC_PREFIX")) | {mac: .calling_station_id, vlan: .vlan_id}'

Force Re-authentication (If Needed)

# CoA (Change of Authorization) to force device re-auth
# This requires NAD CoA configuration

# Or physically disconnect/reconnect device
# Or wait for session timeout

Communication Log

Date	Who	Notes
2026-03-16	Arin Khachikyan	Reported 8 Strongline gateways in wrong identity group
2026-03-16	David Rukiza	Assigned for remediation
2026-03-16	Ntashamaje	Assigned for remediation (InfoSec support)

Date

Who

Notes

2026-03-16

Arin Khachikyan

Reported 8 Strongline gateways in wrong identity group

2026-03-16

David Rukiza

Assigned for remediation

2026-03-16

Ntashamaje

Assigned for remediation (InfoSec support)

Root Cause Analysis

To be completed after remediation

Why were 8 devices not included in the original CSV import?
Is there a process gap for new Strongline gateway deployments?
Should there be automated identity group assignment based on MAC OUI or profile?

Prevention

Document Strongline gateway onboarding process
Consider profiling rule to auto-assign identity group
Add Strongline gateway check to ISE health monitoring