https://community.cisco.com/t5/network-access-control/ise-tacacs-authentication-cscuy46322-restrict-authentiated-but/m-p/3548877#M536777 <HTML><HEAD></HEAD><BODY><P>Team, good day !</P><P></P><P>Regarding: <A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy46322/?referring_site=bugquickviewredir">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy46322/?referring_site=bugquickviewredir</A></P><P></P><P>And situation when any user from AD can access VTY with default DenyAllCommands authorization policy &amp; many such logins could potentially deny Administration access through VTY.</P><P></P><P>In bug notice, known fixed release is ISE <SPAN lang="EN-US" style="font-size: 9.0pt; font-family: 'Arial','sans-serif'; color: #444444; background: white;">2.1(0.474).</SPAN></P><P><SPAN lang="EN-US" style="font-size: 9.0pt; font-family: 'Arial','sans-serif'; color: #444444; background: white;"> </SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Arial','sans-serif'; color: #444444; background: white;">We have all patches installed on ISE:</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Cisco Identity Services Engine</SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">---------------------------------------------</SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Version : 2.1.0.474</SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Build Date&nbsp;&nbsp; : Wed May 25 07:34:43 </SPAN><SPAN style="text-decoration: underline;"><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: blue;">2016</SPAN></SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Install Date : Mon Sep 19 21:08:02 </SPAN><SPAN style="text-decoration: underline;"><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: blue;">2016</SPAN></SPAN><BR /> <BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Cisco Identity Services Engine Patch </SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">---------------------------------------------</SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Version : 1</SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Install Date : Mon Sep 19 23:50:15 </SPAN><SPAN style="text-decoration: underline;"><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: blue;">2016</SPAN></SPAN><BR /> <BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Cisco Identity Services Engine Patch </SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">---------------------------------------------</SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Version : 2</SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Install Date : Mon Nov 28 11:52:19 </SPAN><SPAN style="text-decoration: underline;"><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: blue;">2016</SPAN></SPAN></P><P><SPAN style="text-decoration: underline;"> </SPAN></P><P>And provided few tests regarding Authentication.</P><P></P><OL style="list-style-type: decimal;"><LI>1) DenyAllCommands can not be deleted (to test DefaultDeny access to VTY)</LI><LI>2) Authenticated, but not authorized user still can access to VTY </LI><LI>3) Tried execute Autocommand ‘exit’ on such users – command doesn’t works</LI></OL><P></P><P>Team, any workarounds/solutions not to allow Authenticated, but not Authorized users not to allow access to VTY ? Or restrict Authentication to specific AD groups/OU’s ?</P><P></P><P>Thank you !</P></BODY></HTML> Tue, 06 Dec 2016 10:57:47 GMT epetyaks 2016-12-06T10:57:47Z https://community.cisco.com/t5/network-access-control/ise-tacacs-authentication-cscuy46322-restrict-authentiated-but/m-p/3548877#M536777 <HTML><HEAD></HEAD><BODY><P>Team, good day !</P><P></P><P>Regarding: <A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy46322/?referring_site=bugquickviewredir">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy46322/?referring_site=bugquickviewredir</A></P><P></P><P>And situation when any user from AD can access VTY with default DenyAllCommands authorization policy &amp; many such logins could potentially deny Administration access through VTY.</P><P></P><P>In bug notice, known fixed release is ISE <SPAN lang="EN-US" style="font-size: 9.0pt; font-family: 'Arial','sans-serif'; color: #444444; background: white;">2.1(0.474).</SPAN></P><P><SPAN lang="EN-US" style="font-size: 9.0pt; font-family: 'Arial','sans-serif'; color: #444444; background: white;"> </SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Arial','sans-serif'; color: #444444; background: white;">We have all patches installed on ISE:</SPAN></P><P><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Cisco Identity Services Engine</SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">---------------------------------------------</SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Version : 2.1.0.474</SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Build Date&nbsp;&nbsp; : Wed May 25 07:34:43 </SPAN><SPAN style="text-decoration: underline;"><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: blue;">2016</SPAN></SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Install Date : Mon Sep 19 21:08:02 </SPAN><SPAN style="text-decoration: underline;"><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: blue;">2016</SPAN></SPAN><BR /> <BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Cisco Identity Services Engine Patch </SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">---------------------------------------------</SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Version : 1</SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Install Date : Mon Sep 19 23:50:15 </SPAN><SPAN style="text-decoration: underline;"><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: blue;">2016</SPAN></SPAN><BR /> <BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Cisco Identity Services Engine Patch </SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">---------------------------------------------</SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Version : 2</SPAN><BR /> <SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: black;">Install Date : Mon Nov 28 11:52:19 </SPAN><SPAN style="text-decoration: underline;"><SPAN lang="EN-US" style="font-size: 10.0pt; font-family: 'Helvetica','sans-serif'; color: blue;">2016</SPAN></SPAN></P><P><SPAN style="text-decoration: underline;"> </SPAN></P><P>And provided few tests regarding Authentication.</P><P></P><OL style="list-style-type: decimal;"><LI>1) DenyAllCommands can not be deleted (to test DefaultDeny access to VTY)</LI><LI>2) Authenticated, but not authorized user still can access to VTY </LI><LI>3) Tried execute Autocommand ‘exit’ on such users – command doesn’t works</LI></OL><P></P><P>Team, any workarounds/solutions not to allow Authenticated, but not Authorized users not to allow access to VTY ? Or restrict Authentication to specific AD groups/OU’s ?</P><P></P><P>Thank you !</P></BODY></HTML> Tue, 06 Dec 2016 10:57:47 GMT https://community.cisco.com/t5/network-access-control/ise-tacacs-authentication-cscuy46322-restrict-authentiated-but/m-p/3548877#M536777 epetyaks 2016-12-06T10:57:47Z https://community.cisco.com/t5/network-access-control/ise-tacacs-authentication-cscuy46322-restrict-authentiated-but/m-p/3548878#M536780 <HTML><HEAD></HEAD><BODY><P>If seen only with NX-OS, it's likely due to known issues with NX-OS devices. I documented the workaround in the lab guide for T+ in Sales Connect.</P><P></P><P>Otherwise, you are likely hitting a newer bug -- CSCvc15000.</P></BODY></HTML> Tue, 06 Dec 2016 17:32:54 GMT https://community.cisco.com/t5/network-access-control/ise-tacacs-authentication-cscuy46322-restrict-authentiated-but/m-p/3548878#M536780 hslai 2016-12-06T17:32:54Z