Re: Cisco ISE Policies TACACS+ Parent Group attribute

jj2048 · ‎12-20-2021

ISE VM Evaluation (I'm doing this on testbed before I implement it on production for customer)

Version 3.0 patch 4 with log4j hotfix.

Problem Description:
Whenever I use the parent group of the network device the policy does not seem to catch it.

Network Device Group

All Device Type

- SWITCH

Network Device

L3-Switch

Device Type - SWITCH

Device Admin Policy Set

Conditions (Does not work)

Device > Device Type = All Device Type

What does work is

Conditions

Device > Device Type = SWITCH

Question:

Is this the expected behavior of the policy?

Shouldn't it hit the policy since the SWITCH is the sub group of the Parent Group All Device Type

I have also tried the following

Network Device Group

All Device Type

- SWITCH > IOS-XE

Network Device

L3-Switch

Device Type - IOS-XE

Device Admin Policy Set

Conditions (Does not work)

Device > Device Type = SWITCH

I've attached some images for clarity.

Marcelo Morais · ‎12-21-2021

Hi @jj2048 ,

the Condition: Device.DeviceType EQUALS <All Device Type#SWITCH#SW_IO-XE> is true if a Device is equal to SW_IO-XE or is equal to All Device.

Note: you are able to create a OR condition to solve your problem, like:

Condition: Device.DeviceType EQUALS <All Device Type#SWITCH#SW_IO-XE>

or

Condition: Device.DeviceType EQUALS <All Device Type#SWITCH>

Hope this helps !!!

jj2048 · ‎12-21-2021

Hi, @Marcelo Morais

It seems that my understanding of how Network Device Parent group should work is not the same on how it should be applied on the policies.

From my understanding, if I apply the Condition: Device.DeviceType EQUALS <All Device Type#SWITCH>, the policy should have caught all child groups of SWITCH, the same should be true on All Device Type, which should have caught all the child groups of Device Types. I'll go check this on the lower versions as I know this is working, if my memory serves me right.

What happens on the actual policy is that, if I apply the Condition: Device.DeviceType EQUALS <All Device Type#SWITCH>, it only catches the network device which is tagged as SWITCH, which I think defeats the purpose of the parent groups.

Although a workaround on my part is what you have said which will be OR condition, and to simplify it more, I have used the Library Condition Blocks in order to re-use the conditions.

Library Condition Block Name: All Device Softwares

Condition: Device.DeviceType EQUALS <All Device Type#SWITCH#SW_IOS-XE>

or

Condition: Device.DeviceType EQUALS <All Device Type#SWITCH#SW_NXOS>

or

Condition: Device.DeviceType EQUALS <All Device Type#SWITCH#R_IOS-XE>

or

Condition: Device.DeviceType EQUALS <All Device Type#SWITCH#R_IOS-XR>

Extra steps but it does the job for now.

I'll post again once I determine on version 2.7 if my understanding is correct on parent groups.

Greg Gibbs · ‎12-21-2021

AFAIK, the Parent/Child hierarchy of NDGs was always just for logical grouping and condition matching of Child groups based on using the Parent group was never supported on any current/prior versions of ISE. The Equals operator typically indicates an exact string match in ISE, so ISE would not match on the partial string of the Parent group.

I have always leveraged the OR matching condition suggested by @Marcelo Morais to prevent any potential mis-matches, but you could also try using either the Starts with or Contains operators in your condition rather than Equals. Those operators should allow the string match based on the partial Parent group.