topic RBAC - Read only is not working for External Admin User in ISE 2.4 in Network Access Control

RBAC - Read only is not working for External Admin User in ISE 2.4

jakeraze — Sun, 15 Dec 2019 15:22:49 GMT

Hello,

I have questions regarding Admin Access, if the Admin user that i created is based on External AD.

and If i tick the read only or apply an rbac-read only policy.

It is not affecting the admin account. Once i Login, i can still write on ISE.

but if i create an internal admin account on ISE. Read only and RBAC policy is working.

Have you encountered this scenario? How to fix this.

Thanks in advance

Re: RBAC - Read only is not working for External Admin User in ISE 2.4

Damien Miller — Sun, 15 Dec 2019 22:15:00 GMT

Is the AD user only mapped to a single group leveraged in the admin access policy or multiple?

I could see ise using first match rather than least privilege for access but I have not tested it.

What ise admin groups are you trying to leverage right now?

Re: RBAC - Read only is not working for External Admin User in ISE 2.4

jakeraze — Mon, 16 Dec 2019 07:14:21 GMT

I created custom admin groups that have limitation on viewing some menu. - didn't work as external
i tried helpdesk admin group. - still did not work if the account is external.

same username and make it as internal to ISE. - Read only and RBAC Helpdesk admin is working.

is this some kind of a bug? using ISE 2.4 patch none.

Re: RBAC - Read only is not working for External Admin User in ISE 2.4

Timothy Abbott — Tue, 17 Dec 2019 00:45:09 GMT

It is possible that you are hitting a defect as RBAC read-only support with external identity sources gained support in ISE 2.3. I would also check the release notes to see if there is a defect listed and if it is resolved in a patch for ISE 2.4. If not, you can contact the TAC to troubleshoot further.

Regards,
-Tim