Solved: ISE Time of Day rule Exceptions not working

Richard Wakefield · ‎11-11-2017

Note: This was tested on ISE 2.1p3 and ISE 2.1p6

I'm trying to make a very concise rule to deny folks from joining the WiFi after business hours, 8am to 5pm. The easiest way is to create 1 deny rule that would go into effect anytime other than M-F 8-5, however this rule is not working. If I use anything in the exceptions section of a time of day rule in a policy, the rule is never matched.

Trying to create a rule to match anything NOT M-F 8am to 5pm, comes out like this:

The policy would then be (Not M-F_8to5 and only certain APs):

I can create Standard Settings rules all day (Specific Hours 8-5, Specific days M-F) and create a permit rule and a deny under it, and that works fine. However, to do what I need to do I'd have to create 4 individual rules with a deny as the 4th, rather than just 1 clean deny rule.

Why do Time and Day Exceptions like the above not work as a condition in a policy?

hslai · ‎11-11-2017

A known defect -- CSCvf45333.

And, if your ISE is 2.0 or older, then CSCux81127 also applies.

Please explain how you would need 4 rules with the standard settings.

View solution in original post

hslai · ‎11-11-2017

A known defect -- CSCvf45333.

And, if your ISE is 2.0 or older, then CSCux81127 also applies.

Please explain how you would need 4 rules with the standard settings.

Richard Wakefield · ‎11-12-2017

That BugID is internal only, I am not able to view it. I went to search for a bug like this, nothing came up, apparently because it was an internal only bug. If this bug was published it would have saved me a lot of time. 

---

CSCvf45333

Insufficient Permissions to View Bug

This bug contains proprietary information and is not yet publicly available.

You may find useful information within theCisco Support Community

——

In this case, it requires 4 rules because this rule is for guest users only, on an ISE deployment using 2nd interfaces for the Guest splash page.

RegisteredDevices Permit

SponsoredEndpoints Permit

1) GuestEndpoints time of day, AP XYZ

2) Onboarding Rule ISE1 with time of day permit, AP XYZ

3) Onboarding Rule ISE2 with time of day permit, AP XYZ

4) Deny rule, AP XYZ

GuestEndpoints Permit

Onboarding ISE1

Onboarding ISE2

Where I could just use 1 rule with the exception to accomplish all of this.

RegisteredDevices Permit

SponsoredEndpoints Permit

1) Time of day EXCEPTION, Deny, AP XYZ

GuestEndpoints Permit

Onboarding ISE1

Onboarding ISE2

hslai · ‎11-12-2017

If I got it correctly, it seems the additional rules are due to the fact that you would like the restrictions on AP XYZ only.

I added a release-note enclosure to the bug last night and it takes a couple of days to go through reviews before becoming public visible.

Richard Wakefield · ‎11-12-2017

Yes, that is correct. These are time of day rules for about 10 different sites, each site with different office hours I need to match, so this bug and not being able to do exception rules takes me from having around 10 rules with "not-time, deny" to around 40 rules with "Time+Guest, time+onboard, permits".

hslai · ‎11-12-2017

Dev confirmed it currently resolved in ISE 2.3. Perhaps, you may try ISE 2.3 in a lab.

hslai · ‎11-14-2017

In case you are unable to use ISE 2.3, you may consider engage Cisco TAC and request for a hot patch as the bug fix not yet committed to any patch releases.

Richard Wakefield · ‎11-14-2017

Understood.