Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1141
Views
0
Helpful
3
Replies

RBAC - Read only is not working for External Admin User in ISE 2.4

Go to solution
jakeraze
Level 1
Level 1

‎12-15-2019 07:22 AM

Hello,

 

I have questions regarding Admin Access, if the Admin user that i created is based on External AD.

and If i tick the read only or apply an rbac-read only policy.

It is not affecting the admin account. Once i Login, i can still write on ISE.

 

but if i create an internal admin account on ISE. Read only and RBAC policy is working.

Have you encountered this scenario? How to fix this.

 

Thanks in advance

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to jakeraze

‎12-16-2019 04:45 PM

It is possible that you are hitting a defect as RBAC read-only support with external identity sources gained support in ISE 2.3. I would also check the release notes to see if there is a defect listed and if it is resolved in a patch for ISE 2.4. If not, you can contact the TAC to troubleshoot further.

Regards,
-Tim

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎12-15-2019 02:15 PM

Is the AD user only mapped to a single group leveraged in the admin access policy or multiple?

 

I could see ise using first match rather than least privilege for access but I have not tested it.

 

What ise admin groups are you trying to leverage right now? 

0 Helpful

Go to solution
jakeraze
Level 1
Level 1
In response to Damien Miller

‎12-15-2019 11:14 PM

I created custom admin groups that have limitation on viewing some menu. - didn't work as external
i tried helpdesk admin group. - still did not work if the account is external.

same username and make it as internal to ISE. - Read only and RBAC Helpdesk admin is working.

is this some kind of a bug? using ISE 2.4 patch none.
0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to jakeraze

‎12-16-2019 04:45 PM

It is possible that you are hitting a defect as RBAC read-only support with external identity sources gained support in ISE 2.3. I would also check the release notes to see if there is a defect listed and if it is resolved in a patch for ISE 2.4. If not, you can contact the TAC to troubleshoot further.

Regards,
-Tim
0 Helpful
Customers Also Viewed These Support Documents