cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
698
Views
0
Helpful
1
Replies

ISE Tacacs+ authentication CSCuy46322 (Restrict Authentiated but not Authorized users access to VTY)

epetyaks
Cisco Employee
Cisco Employee

Team, good day !

Regarding: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy46322/?referring_site=bugquickviewredir

And situation when any user from AD can access VTY with default DenyAllCommands authorization policy & many such logins could potentially deny Administration access through VTY.

In bug notice, known fixed release is ISE 2.1(0.474).

We have all patches installed on ISE:

Cisco Identity Services Engine
---------------------------------------------
Version : 2.1.0.474
Build Date   : Wed May 25 07:34:43 2016
Install Date : Mon Sep 19 21:08:02 2016

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 1
Install Date : Mon Sep 19 23:50:15 2016

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 2
Install Date : Mon Nov 28 11:52:19 2016

And provided few tests regarding Authentication.

  1. 1) DenyAllCommands can not be deleted (to test DefaultDeny access to VTY)
  2. 2) Authenticated, but not authorized user still can access to VTY
  3. 3) Tried execute Autocommand ‘exit’ on such users – command doesn’t works

Team, any workarounds/solutions not to allow Authenticated, but not Authorized users not to allow access to VTY ? Or restrict Authentication to specific AD groups/OU’s ?

Thank you !

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

If seen only with NX-OS, it's likely due to known issues with NX-OS devices. I documented the workaround in the lab guide for T+ in Sales Connect.

Otherwise, you are likely hitting a newer bug -- CSCvc15000.

View solution in original post

1 Reply 1

hslai
Cisco Employee
Cisco Employee

If seen only with NX-OS, it's likely due to known issues with NX-OS devices. I documented the workaround in the lab guide for T+ in Sales Connect.

Otherwise, you are likely hitting a newer bug -- CSCvc15000.