06-09-2016 06:54 AM
My customer just let me know that this bug:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy46322
Which is that the old ACS functionality of a "DefaultDeny" to keep users who match no authorization rules off the network is not present in ISE 2.0. The bug is marked as fixed, but the functionality is still missing, according to my customer - non-matching devices are getting online no problem.
Does anyone have any guidance on the nature of the fix, or have any knowledge of this fix not actually being a fix elsewhere in the field?
Solved! Go to Solution.
06-09-2016 06:59 AM
It's addressed in ISE 2.1. Please try it with ISE 2.1 to see the fix.
06-09-2016 06:59 AM
It's addressed in ISE 2.1. Please try it with ISE 2.1 to see the fix.
06-09-2016 07:03 AM
Sorry, should have included the version the customer went to on the fix - 2.1.0.474. That's the version it's supposedly fixed in, no?
06-09-2016 07:44 AM
As discussed offline, only the default Deny All Shell Profile has this special property. Since it has an associated TAC case, let us work TAC on this for further concerns.
06-15-2016 01:52 PM
The bug is still present in version 2.1.0.474.
They only introduced a "none" profile for Nexus, but this does not resolve the fundamental (security) error.
In the "Authentication Policy" the possibility to use groups (AD or local) is missing.
As a workaround I set for each individual user to a rule
If Network Access:Protocol EQUALS TACACS+Allow Protocols : Default Network Access and
if TACACS:User EQUALES myuser1 use Internal Users
if TACACS:User EQUALES myuser2 use Internal Users
if TACACS:User EQUALES myuser3 use Internal Users
Default Rule (If no match) : Allow Protocols : Default Device Admin and use : DenyAccess
http://www.networking-forums.com/index.php?PHPSESSID=bho139ge7ma4aqct55hfipqsf2&topic=737.0
https://communities.cisco.com/thread/64270?start=0&tstart=0
https://www.reddit.com/r/networking/comments/4mzvm5/cisco_iseacs_tacacs_authentication_based_on/?
06-15-2016 02:01 PM
Many thanks for the new workaround.
The bug is resolved in ISE 2.1 but there is a new bug for upgrade or backup-and-restore from the previous releases. The fix is not a NONE profile but a new default Deny All Shell Profile. Please use your workaround until a patch available to add back the default deny-all-shell profile for upgrade use cases.
12-23-2016 01:57 PM
What's the bug ID for the restore/upgrade bug? I just had a customer report that this is still not working in ISE 2.1 Patch 2.
Thanks
12-23-2016 04:20 PM
CSCva04654 on restore/upgrade but should have been included in 2.1 Patch 1
CSCvc15000 is a newer bug. No official patch available yet but it has a workaround in RNE.
Also note that NX-OS has T+ client issue. The workaround is in our ISE T+ lab guide available in Sales Connect.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide