Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3420
Views
0
Helpful
8
Replies

ISE ERS admin account permissions

Go to solution
andrewswanson
Level 7
Level 7

‎10-18-2019 05:12 AM

Hi

Is there any way to restrict the permissions for ISE admin accounts in the ERS Admin group?

 

I'm using a powershell script that runs on a windows WDS PXE client - during the imaging process, the script adds the mac address of the client to an ISE whitelist - ISE will then authorize the WDS client for the duration of the imaging process.

 

Our Security Officer has raised concerns about using an ERS Admin Group account with full access - I'm looking at restricting the WDS ERS account so that it only has permissions to add/remove devices from the specific ISE whitelist endpoint group. Is this possible?

 

Thanks
Andy

ps I'm testing this on ISE 2.3 patch 6

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to andrewswanson

‎10-18-2019 08:28 AM

Yeah, and I just checked to see if we can disable that rule and we can't.  Sounds like an enhancement request needs to be created for this.  API access should use RBAC so you can control what API operations are allowed by different groups/applications.  With your situation as a perfect example of the need.

View solution in original post

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to Colby LeMaire

‎10-18-2019 08:36 AM - edited ‎10-18-2019 08:59 AM

Yes - I'll log that request through our Cisco Support partner. I've just had a chat with the team dealing with WDS and they say that the script will only run after the WDS client has tftp'd the boot image and an authorised user has logged in - hopefully that will satisfy security compliance. I'll mark the thread as resolved.

Thanks

Andy

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎10-18-2019 05:57 AM

Have you tried to create a new "Data Access Permission" and apply that to the ERS Admin rule in the administration authorization policy?  By default, the ERS Admin rule applies the "Super Admin Data Access" permission.  You can change that to use a new custom permission.  Then in there, select the identity groups that you want the ERS Admin accounts to have access to.  I haven't tried it myself but if it were possible, that is how it would be done.

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to Colby LeMaire

‎10-18-2019 06:19 AM

Thanks for the reply

 

I have tried the following:

 

  • created an ISE endpoint group called PXEWHITELIST to be used by the script
  • created data/menu access permissions that can only access the endpoint group PXEWHITELIST
  • created an admin Group called ERS_WDS and allocated the permissions above.

when I place the script's account in the ERS_WDS admin group, I can't access the ISE API as the documentation states that the ERS account must be in either the ERS operator or ERS Admin groups.

 

I tried adding the script's account to both the ERS_WDS and the ERS Admin groups - I can access the API ok with the account but have full access (not restricted to only the specific whitelist endpoint group).

 

The ISE documentation for admin RBAC group states:


All of those applicable policies will be evaluated when an admin user tries to perform an action. The final decision will be the aggregate of all the policies applicable for that role. If there are contridictory rules which permit and deny at the same time, permit rule will override the deny rule.

 

So it looks like if an admin account used for ERS has to be in the ERS admin group to work, it will have full access regardless of any permission restrictions I try to apply.

 

cheers
Andy

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to andrewswanson

‎10-18-2019 07:10 AM

That all makes sense.  What I was saying was to change the Data Access permissions for the ERS Admin group.  Now that isn't ideal if you have other operations using the API that need full access.  But if this is the only thing you are using the API for, then it should work for you.

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to Colby LeMaire

‎10-18-2019 07:47 AM

The built-in RBAC policy for ERS Admin on ISE 2.3 patch 6 is:

 

Rule Name: ERS Admin Policy
Admin Group: ERS Admin
Permissions: Super Admin Data Access

 

when I attempt to modify permissions I get the error:

 

Modifying default ERS Admin Policy is not allowed

 

When I give my script's ERS account the same Super Admin Data Access permissions, I can't access the API (I get HTTP Status 401 – Unauthorized).

 

So it does looks like an ISE ERS account has to be a member of either the ERS Admin/Operator groups and the permissions for these groups can't be modified.

 

Cheers
Andy

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to andrewswanson

‎10-18-2019 08:28 AM

Yeah, and I just checked to see if we can disable that rule and we can't.  Sounds like an enhancement request needs to be created for this.  API access should use RBAC so you can control what API operations are allowed by different groups/applications.  With your situation as a perfect example of the need.

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to Colby LeMaire

‎10-18-2019 08:36 AM - edited ‎10-18-2019 08:59 AM

Yes - I'll log that request through our Cisco Support partner. I've just had a chat with the team dealing with WDS and they say that the script will only run after the WDS client has tftp'd the boot image and an authorised user has logged in - hopefully that will satisfy security compliance. I'll mark the thread as resolved.

Thanks

Andy

0 Helpful

Go to solution
darossman
Level 1
Level 1
In response to andrewswanson

‎06-09-2020 05:47 PM

Hello,

 

Were you able to get a solution to this issue? We need custom access for the  ERS admin user for the exact same reason. 

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to darossman

‎06-10-2020 01:04 AM

Hi - No, no solution as yet. You can track the enhancement request here:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr07394

 

hth

Andy

0 Helpful
Customers Also Viewed These Support Documents