topic IdentityAccessRestricted attribute in Network Access Control

IdentityAccessRestricted attribute

rezaalikhani — Wed, 15 Nov 2023 06:40:54 GMT

Hi all;

In the "Active Directory Integration with Cisco ISE 2.x" article, we read:

IdentityAccessRestricted attribute is set in order to support legacy policies and is not required in Cisco ISE because authentication fails if such conditions (for example, user disabled) are met.

Can anyone explain what does "to support legacy policies" mean?

Thanks

Re: IdentityAccessRestricted attribute

balaji.bandi — Wed, 15 Nov 2023 09:57:39 GMT

You need to provide document reference where you reading this, the context is depends on use case.

"to support legacy policies" mean? - i take this as backward compatibility.

Re: IdentityAccessRestricted attribute

rezaalikhani — Wed, 15 Nov 2023 10:15:45 GMT

The link to the document is:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html

Backward compatibility with what?

Re: IdentityAccessRestricted attribute

Arne Bier — Thu, 16 Nov 2023 06:50:35 GMT

@rezaalikhani - this dictionary still exists if there is an active AD Join configured, and it looks like this Boolean was previously available in older versions of ISE (or even from ACS) during the Authentication phase, to check if an account was disabled etc. - but ISE has changed since then, and you can't test this Boolean during Authentication. It's available during Authorization only. But not sure if that makes much sense, because you won't get that far if the Authentication fails. Perhaps you can force the If AuthFail CONTINUE and then test for this in AuthZ.

BTW, I can't find any mention of the text "IdentityAccessRestricted attribute is set in order to support legacy policies and is not required in Cisco ISE because authentication fails if such conditions (for example, user disabled) are met." in the link you sent.

Re: IdentityAccessRestricted attribute

rezaalikhani — Thu, 16 Nov 2023 11:09:30 GMT

Thanks for your reply...

The actual document is:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html

I searched and found that Cisco has removed the following statement beginning from ISE 2.2 documents:

Additionally, you can can set the IdentityAccessRestricted attribute if conditions mentioned above (for example, user disabled) are met. IdentityAccessRestricted attribute is set in order to support legacy policies and is not required in Cisco ISE because authentication fails if such conditions (for example, user disabled) are met.