cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1038
Views
0
Helpful
4
Replies

Network Device Group for policy selection

martucci
Cisco Employee
Cisco Employee

on ISE 2.0, I have configured some devices and created a Device Group called “Cisco Switch”

On my  Tacacs Policy set I  have created a Policy to match on “Any Device Groups”

If I try and log onto the Cisco Switch it doesn’t match the Tacacs rule. If I  change the rule to match on Cisco Switch it matches or if we change the Device Type to All Device types again it matches

This is the first time I am experiencing this, but I thought the  “All Device Types” being a catch all for all Groups ?

I find this against the logic.

1 Accepted Solution

Accepted Solutions

Hi Francesca,

I think I see the problem.  Please modify the condition to use CONTAINS instead of EQUALS.  You shouldn't have any problems matching at that point.

Regards,

-Tim

View solution in original post

4 Replies 4

Timothy Abbott
Cisco Employee
Cisco Employee

Hi,

Can you explain what the group structure looks like?  For example:

All Device Types / Any Device Groups / Cisco Switch

Also, what does the condition look like? For example:

DEVICE:Device Type CONTAINS Device Type#All Device Types#Cisco Switch

Regards,

-Tim

Hi Tim,

Yes.

I happened to me yesterday while I was running through the lab guide for ISE 2.0 refreshing T+ configuration. I did follow the lab guide but while defining the policy, I forgot the inner group IOS-SW in the new line.

And the policy did not match.

See below screen shot

I then has an email this morning from a customer experiencing exactly the same problem and asking if it is a bur or in purpose as it is counterintuitive.

The example I have given is the one explained from the customer

Thanks

Francesca

==========================================================

Francesca Martucci – CISSP # 481718

CONSULTING SYSTEMS ENGINEER.SECURITY SALES

UKI

martucci@cisco.com<mailto:martucci@cisco.com>

Phone: +44 20 8824 6984

Mobile: +44 77 47476000

==========================================================

Hi Francesca,

I think I see the problem.  Please modify the condition to use CONTAINS instead of EQUALS.  You shouldn't have any problems matching at that point.

Regards,

-Tim

Ah, perfect,

Thanks a lot

Francesca

Sent from my iPhone