cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1333
Views
0
Helpful
7
Replies

ACS DefaultDeny in ISE 2.0

alkirk
Level 1
Level 1

My customer just let me know that this bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy46322

Which is that the old ACS functionality of a "DefaultDeny" to keep users who match no authorization rules off the network is not present in ISE 2.0. The bug is marked as fixed, but the functionality is still missing, according to my customer - non-matching devices are getting online no problem.

Does anyone have any guidance on the nature of the fix, or have any knowledge of this fix not actually being a fix elsewhere in the field?

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

It's addressed in ISE 2.1. Please try it with ISE 2.1 to see the fix.

View solution in original post

7 Replies 7

hslai
Cisco Employee
Cisco Employee

It's addressed in ISE 2.1. Please try it with ISE 2.1 to see the fix.

Sorry, should have included the version the customer went to on the fix - 2.1.0.474. That's the version it's supposedly fixed in, no?

hslai
Cisco Employee
Cisco Employee

As discussed offline, only the default Deny All Shell Profile has this special property. Since it has an associated TAC case, let us work TAC on this for further concerns.

AdminHH
Level 1
Level 1

The bug is still present in version 2.1.0.474.

They only introduced a "none" profile for Nexus, but this does not resolve the fundamental (security) error.

In the "Authentication Policy" the possibility to use groups (AD or local) is missing.

As a workaround I set for each individual user to a rule

If    Network Access:Protocol EQUALS TACACS+Allow Protocols  : Default Network Access  and 

if TACACS:User EQUALES myuser1  use Internal Users

if TACACS:User EQUALES myuser2  use Internal Users

if TACACS:User EQUALES myuser3  use Internal Users

Default Rule (If no match) : Allow Protocols  : Default Device Admin  and use :  DenyAccess

 

http://www.networking-forums.com/index.php?PHPSESSID=bho139ge7ma4aqct55hfipqsf2&topic=737.0

https://communities.cisco.com/thread/64270?start=0&tstart=0

https://www.reddit.com/r/networking/comments/4mzvm5/cisco_iseacs_tacacs_authentication_based_on/?

hslai
Cisco Employee
Cisco Employee

Many thanks for the new workaround.

The bug is resolved in ISE 2.1 but there is a new bug for upgrade or backup-and-restore from the previous releases. The fix is not a NONE profile but a new default Deny All Shell Profile. Please use your workaround until a patch available to add back the default deny-all-shell profile for upgrade use cases.

What's the bug ID for the restore/upgrade bug? I just had a customer report that this is still not working in ISE 2.1 Patch 2.

Thanks

CSCva04654 on restore/upgrade but should have been included in 2.1 Patch 1

CSCvc15000 is a newer bug. No official patch available yet but it has a workaround in RNE.

Also note that NX-OS has T+ client issue. The workaround is in our ISE T+ lab guide available in Sales Connect.