Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
804
Views
0
Helpful
4
Replies

Network Device Group for policy selection

Go to solution
martucci
Cisco Employee
Cisco Employee

‎05-18-2016 08:34 AM

on ISE 2.0, I have configured some devices and created a Device Group called “Cisco Switch”

On my  Tacacs Policy set I  have created a Policy to match on “Any Device Groups”

If I try and log onto the Cisco Switch it doesn’t match the Tacacs rule. If I  change the rule to match on Cisco Switch it matches or if we change the Device Type to All Device types again it matches

This is the first time I am experiencing this, but I thought the  “All Device Types” being a catch all for all Groups ?

I find this against the logic.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to martucci

‎05-18-2016 09:37 AM

Hi Francesca,

I think I see the problem.  Please modify the condition to use CONTAINS instead of EQUALS.  You shouldn't have any problems matching at that point.

Regards,

-Tim

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎05-18-2016 08:55 AM

Hi,

Can you explain what the group structure looks like?  For example:

All Device Types / Any Device Groups / Cisco Switch

Also, what does the condition look like? For example:

DEVICE:Device Type CONTAINS Device Type#All Device Types#Cisco Switch

Regards,

-Tim

0 Helpful

Go to solution
martucci
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎05-18-2016 09:08 AM

Hi Tim,

Yes.

I happened to me yesterday while I was running through the lab guide for ISE 2.0 refreshing T+ configuration. I did follow the lab guide but while defining the policy, I forgot the inner group IOS-SW in the new line.

And the policy did not match.

See below screen shot

I then has an email this morning from a customer experiencing exactly the same problem and asking if it is a bur or in purpose as it is counterintuitive.

The example I have given is the one explained from the customer

Thanks

Francesca

==========================================================

Francesca Martucci – CISSP # 481718

CONSULTING SYSTEMS ENGINEER.SECURITY SALES

UKI

martucci@cisco.com<mailto:martucci@cisco.com>

Phone: +44 20 8824 6984

Mobile: +44 77 47476000

==========================================================

Preview file
54 KB
0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to martucci

‎05-18-2016 09:37 AM

Hi Francesca,

I think I see the problem.  Please modify the condition to use CONTAINS instead of EQUALS.  You shouldn't have any problems matching at that point.

Regards,

-Tim

0 Helpful

Go to solution
martucci
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎05-18-2016 11:37 AM

Ah, perfect,

Thanks a lot

Francesca

Sent from my iPhone

0 Helpful
Customers Also Viewed These Support Documents