Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1072
Views
1
Helpful
4
Replies

IdentityAccessRestricted attribute

Go to solution
rezaalikhani
VIP
VIP

‎11-14-2023 10:40 PM

Hi all;

In the "Active Directory Integration with Cisco ISE 2.x" article, we read:

IdentityAccessRestricted attribute is set in order to support legacy policies and is not required in Cisco ISE because authentication fails if such conditions (for example, user disabled) are met.

Can anyone explain what does "to support legacy policies" mean?

Thanks

1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎11-15-2023 10:50 PM

@rezaalikhani - this dictionary still exists if there is an active AD Join configured, and it looks like this Boolean was previously available in older versions of ISE (or even from ACS) during the Authentication phase, to check if an account was disabled etc. - but ISE has changed since then, and you can't test this Boolean during Authentication. It's available during Authorization only. But not sure if that makes much sense, because you won't get that far if the Authentication fails. Perhaps you can force the If AuthFail CONTINUE and then test for this in AuthZ. 

BTW, I can't find any mention of the text "IdentityAccessRestricted attribute is set in order to support legacy policies and is not required in Cisco ISE because authentication fails if such conditions (for example, user disabled) are met." in the link you sent.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-15-2023 01:57 AM

You need to provide document reference where you reading this, the context is depends on use case.

"to support legacy policies" mean?  - i take this as backward compatibility.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎11-15-2023 10:50 PM

@rezaalikhani - this dictionary still exists if there is an active AD Join configured, and it looks like this Boolean was previously available in older versions of ISE (or even from ACS) during the Authentication phase, to check if an account was disabled etc. - but ISE has changed since then, and you can't test this Boolean during Authentication. It's available during Authorization only. But not sure if that makes much sense, because you won't get that far if the Authentication fails. Perhaps you can force the If AuthFail CONTINUE and then test for this in AuthZ. 

BTW, I can't find any mention of the text "IdentityAccessRestricted attribute is set in order to support legacy policies and is not required in Cisco ISE because authentication fails if such conditions (for example, user disabled) are met." in the link you sent.

0 Helpful

Go to solution
rezaalikhani
VIP
VIP
In response to Arne Bier

‎11-16-2023 02:41 AM - edited ‎11-16-2023 03:09 AM

Thanks for your reply...

The actual document is:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html

I searched and found that Cisco has removed the following statement beginning from ISE 2.2 documents:

Additionally, you can can set the IdentityAccessRestricted attribute if conditions mentioned above (for example, user disabled) are met. IdentityAccessRestricted attribute is set in order to support legacy policies and is not required in Cisco ISE because authentication fails if such conditions (for example, user disabled) are met.

 

0 Helpful
Customers Also Viewed These Support Documents