04-05-2019 03:23 AM
Hi Team,
We are currently conducting a PoC on our Internal Networks for ISE - Device Admin. All testing is good but I have two niggling issues and would like the help from the community who can possibly guide me to the correct process.
1. When setting up Device Admin Policy Sets for the WLC Authentication /Authorisation the WLC TACACS works fine once WLC is configured, however, when we create another policy for Cisco switches etc, the policy for WLC stops working. If we make the WLC policy set the first policy to hit it will start to work again. Do we have to keep the WLC policy at the top of all other policies or should it work anywhere on the list.
2. Under the PoC at first we created a Network Device root group called "All Devices TACACS" and made sub groups under it to separate the network entities e.g. Network Device - Switch with further subgroups such as IOS, NX-OS and Juniper. We decided to create another root network device group called Device Admin - All Devices with the similar sub groups under them same as All Devices TACACS but the issue now is that although I've managed to delete some sub groups but I'm unable to delete sub groups that have a device in them and I can't see a way of removing the device from the sub group. At one point I removed all sub groups by moving the devices into the root group All Devices TACACS but then I can't delete the root network group All Devices TACACS because it complains it has devices attached to it. Also if I delete the WLC sub group my WLC stops working.
I was hoping somone on this forum can guide and assist me to put this right so we can complete our PoC and carry on with the actual migration.
I look forward to your help. Many thanks.
Regards,
Amir
Solved! Go to Solution.
07-30-2019 09:19 AM
We just ran into a similar problem, using ISE 2.4. After experimenting and playing around, it's seems to be a bug in how ISE sometimes handles Root Groups that used to have sub-groups and devices assigned - it doesn't always (behind the scenes) remove those groups properly when the devices are moved elsewhere.
We *finally* (mostly) fixed it this way:
1) Export all of the Network Devices into a .CSV
2) Edit said .CSV to remove, from the "Network Device Groups" field, all instances of the root group you want removed
2a) For safety, remove any rows that *don't* include this root group, just so you're only overwriting the data that's "corrupted" (for lack of a better word)
3) Reimport, using the "Overwrite Existing Data" option
4) At that point, you should be able to remove the old Root Group from the Network Devices Groups tab without the error
5) After re-exporting the Network Device list, I noticed that they still had the Root Group defined in them, even though it no longer existed in ISE; repeating steps 2-3 finally got rid of it for good
There definitely should be a way to forcibly remove a custom Root Group, even if the system thinks there are items in it, but hopefully this workaround works for you too.
04-05-2019 04:09 AM
Hi,
For Concern 1:
Seems you are WLC authorization is hitting on the authorization profile of Switch, Because its satisfying the condition of that rule. Create authorization policy with separate the WLC and Switch grouping so that each will hit on their respective Authorization rule and Get access as per their TACACS Profiles defined.
For Concern 2:
You can't delete a Root and Sub group if its mapped to the Network device. Create a New Root and Sub group as per your requirement and map it to the Network devices. Before Making these changes you have to make sure that In Policy sets or Policy (Authentication or Authorization) whether those new root or sub groups are there in policy to avoid issue in TACACS login.
If still you face issue, Share the same policy.
04-05-2019 04:16 AM
Hi Sathiyanarayanan,
Thank you for your quick reply.
Authorisation rules are separated (see attached) but if WLC policy set was moved down then it will stop working.
Secondly with the Network Device Group...again devices are mapped to the correct group and Authentication/Authorisation policy sets reflect the new group.....the attached file shows the conditions.
Many thanks.
Amir
04-08-2019 03:26 PM
Hi Mohammed,
Thanks for sharing the policy. Instead of All devices#Network Device WLAN#WLC, Create a Device type WLC under all device Type.
And modify the condition for WLC policy set with Device: Device Type Equals to All Device Type : WLC. Below Snap for your reference.
04-05-2019 04:10 AM
I have had good success with NDG (Network Device Groups) by using Device Types like this
WLC
Switches
Routers
Then assign those to the actual Network clients in ISE.
Then the TACACS Policy Sets become very easy. Create one Condition for WLC and one for "Switches OR Routers" (since if they are running IOS then you return the same stuff anyway). The WLC category requires results like role=ALL or role=MONITOR.
So in summary - if you tag your NADs with a Device Type, then there is no ambiguity in your Policy Sets.
04-05-2019 04:20 AM
Hi Arnie,
Yup tried already....the issue is that even if I have the old root group left it won't let me remove it. Error message is that group can't be deleted as it has sub groups or devices allocated to it.
i don't want to leave old root groups on our system and it seems like a pain to remove it.
Cheers.
04-05-2019 04:48 AM
i have not touched pre-ISE 2.3 for a long time so I cannot say whether the output in your PNG is valid for ISE 2.2 - but it does look weird to me.
DEVICE:Device Admin - All Devices EQUALS Device Admin - All Devices#Device Admin - All Devices#Network Device ...
What does the structure of your NDG look like? Can you show that hierarchy?
I would start from scratch and build a simpler structure
04-05-2019 05:01 AM
Hi Arnie,
I have built it from scratch...so in brief it was working fine under All Devices TACACS group but then we thought we need to change the group name but we cannot change a name of a root group so we created a new group under which we added all our other sub groups and added a couple of devices....so no issues at this point.
The only issue is I want to get rid of the old group which the system won't let me until the group is free of all sub groups and devices...No where in the Cisco documentation it tells you how to remove a device out of a particular group....there is absolutely no option. You can move the device around under the same sub group and you can add the same device in other groups but I don't see an option to remove devices out of any type of group whether it be sub or root group.
I've attached the hierarchy grouping structure which in my view is fairly straight forward. Cheers.
Amir
07-30-2019 09:19 AM
We just ran into a similar problem, using ISE 2.4. After experimenting and playing around, it's seems to be a bug in how ISE sometimes handles Root Groups that used to have sub-groups and devices assigned - it doesn't always (behind the scenes) remove those groups properly when the devices are moved elsewhere.
We *finally* (mostly) fixed it this way:
1) Export all of the Network Devices into a .CSV
2) Edit said .CSV to remove, from the "Network Device Groups" field, all instances of the root group you want removed
2a) For safety, remove any rows that *don't* include this root group, just so you're only overwriting the data that's "corrupted" (for lack of a better word)
3) Reimport, using the "Overwrite Existing Data" option
4) At that point, you should be able to remove the old Root Group from the Network Devices Groups tab without the error
5) After re-exporting the Network Device list, I noticed that they still had the Root Group defined in them, even though it no longer existed in ISE; repeating steps 2-3 finally got rid of it for good
There definitely should be a way to forcibly remove a custom Root Group, even if the system thinks there are items in it, but hopefully this workaround works for you too.
07-31-2019 02:40 AM
Thank you that was very helpful indeed. Cheers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide