06-06-2018 07:00 AM
Hello everyone,
I am creating an RBAC admin for a particular router; but he ends up getting access to all other firewalls as well. Now I am not sure how this is happening; so here are the steps which i followed.
1) Created a User-Group ; created the user and then assigned that user to that group.
2) Command Sets - default; Shell Profile - Max & Default Privilege = 15
2) Created a policy set and applied the condition to extract that device.
3) Authentication - default
4) Authorization - Conditions(user group) + [Command Sets + Shell Profile]
When i login to that particular router; i am getting a hit count on that authentication & authorization policies... but i am also able to access the firewalls and other devices with that username/password. When I checked the TACACS live logs; its showing that the login is allowed by All-Firewall>>Default and the shell profile as Security Device Admin. So can someone please help me out on this?
06-06-2018 09:08 AM
06-07-2018 06:13 AM
Hello Timothy,
Thats exactly where the problem is. I am not able to figure out what options to use to filter out the traffic. So can you please suggest me the steps?
06-08-2018 06:38 AM
Please ensure the RBAC admin policy set is before that of All-Firewalls, and provide screenshots on the two policy sets. ISE T+/RADIUS policies are both top-down and first matched.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide