Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1406
Views
20
Helpful
2
Replies

ISE 2.7 RBAC policy with Data access restriction on RADIUS live logs

Go to solution
M.Jallad
Level 1
Level 1

‎09-28-2021 02:37 AM

Hello,

 

I have ISE 2.7 , as part of RBAC testing ; I was trying to apply data access permissions on specific NDG's to restricts access for specific administrators to only view certain RADIUS Live logs on specific network devices belonging to specific NDG "in my example I'm calling the NDG adminA & AdminB which are sub groups in a parent root NDG named RBAC".

 

Now I created two Admin Users "AdminA & AdminB" belonging to Admin Groups named "AdminA & AdminB" respectively.

 

RBAC - Data Access Permissions - Cisco Community.png

Then I created a full access menu access permissions for A & B admin groups. then associated both Admin groups with it's Data & Menu access permissions as below :

 

> RBAC Policy AdminA : if admin user belongs to group AdminA then give permissions "Data access for AdminA & Menu access for AdminA"

  

> RBAC Policy AdminB : if admin user belongs to group AdminB then give permissions "Data access for AdminB & Menu access for AdminB"

 

However, when I test logging to ISE using AdminB , I can still see live logs related to a device belonging to NDG Group "AdminA".

 

Could anybody confirm if this is a normal behavior or is it a limitation on ISE ?!

 

Thanks,

1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-28-2021 08:39 AM

However, when I test logging to ISE using AdminB , I can still see live logs related to a device belonging to NDG Group "AdminA".

-AFAIK with 2.7.x there is no ability to keep live logs for certain NADs separate via rbac controls.  Pretty sure it is an ALL or NOTHING thing.  To be honest I am not sure if this changes in 3.x. 

FYSA - Menu Access controls the navigational visibility.  Data Access controls the ability to read/access/modify the Identity Data on ISE.

 

HTH!

View solution in original post

2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-28-2021 08:39 AM

However, when I test logging to ISE using AdminB , I can still see live logs related to a device belonging to NDG Group "AdminA".

-AFAIK with 2.7.x there is no ability to keep live logs for certain NADs separate via rbac controls.  Pretty sure it is an ALL or NOTHING thing.  To be honest I am not sure if this changes in 3.x. 

FYSA - Menu Access controls the navigational visibility.  Data Access controls the ability to read/access/modify the Identity Data on ISE.

 

HTH!

Go to solution
M.Jallad
Level 1
Level 1
In response to Mike.Cifelli

‎09-28-2021 09:17 AM

Thanks for your feedback Mike,

 

"Data Access controls the ability to read/access/modify the Identity Data on ISE."

 

So it's only about controlling the permission on network resources configuration and not the visibility on data related to these network devices (such as endpoints info , user session info .... ) .

Customers Also Viewed These Support Documents