cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
471
Views
0
Helpful
1
Replies

CSCvg04576 fix release ,

Sherif El Shourafah
Cisco Employee
Cisco Employee

I have a question from an organization, has around 400 branches, at the moment they used a policy to make sure that employees belonging to a certain branch are connected to it, the policy they used to match device location and AD attribute ( different per branch ) to make sure that users who connects are to correct branch ( AD attribute )  and connected to switch allocated in this branch ( device location group), the policy was working fine until they upgraded from 1.2 to 2.2, they hit  CSCvg04576 (AD:ExternalGroups NOT_CONTAINS DEVICE:Parameter doesn't work and always true), and as per TAC this bug will be on 1.3 onward, my question

 

1-    1- Do have any fix release for  CSCvg04576 or it will be supported on upcoming ISE versions ?,

2-   Any workaround would be appreciated,

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

First to add responses already provided by Hsing...

"AFAIK this is by the current design. The only workaround is to use memberOf attribute but that works with direct members only and not primary groups and could incur performance impact.  I would recommend to add and use a specific attribute for the customer use case, instead of trying to match group names.

The AD runtime in ISE 1.3 moved to a new implementation such that we are using SIDs for groups instead of the names to be more efficient. Thus, I consider this a bug to address by roadmap(s) and would need PM involvement."

I recommend the use of a specific attribute that matches location as defined by ISE Network Device Groups.  This way you could have a single policy rule that is similar to the following:

     IF Device:Location EQUALS AD1:Location"

This would allow you to control network access based on the NAD location of user (matched to their location defined in AD/LDAP).  You could also try using AD LDAP which I think is the same suggestion by Hsing to use memberOf.  A cleaner method would be to use attribute like AD Location which is an Indexed attribute in AD.

Craig

View solution in original post

1 Reply 1

Craig Hyps
Level 10
Level 10

First to add responses already provided by Hsing...

"AFAIK this is by the current design. The only workaround is to use memberOf attribute but that works with direct members only and not primary groups and could incur performance impact.  I would recommend to add and use a specific attribute for the customer use case, instead of trying to match group names.

The AD runtime in ISE 1.3 moved to a new implementation such that we are using SIDs for groups instead of the names to be more efficient. Thus, I consider this a bug to address by roadmap(s) and would need PM involvement."

I recommend the use of a specific attribute that matches location as defined by ISE Network Device Groups.  This way you could have a single policy rule that is similar to the following:

     IF Device:Location EQUALS AD1:Location"

This would allow you to control network access based on the NAD location of user (matched to their location defined in AD/LDAP).  You could also try using AD LDAP which I think is the same suggestion by Hsing to use memberOf.  A cleaner method would be to use attribute like AD Location which is an Indexed attribute in AD.

Craig