cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

577
Views
0
Helpful
3
Replies
Highlighted
Beginner

RBAC - Read only is not working for External Admin User in ISE 2.4

Hello,

 

I have questions regarding Admin Access, if the Admin user that i created is based on External AD.

and If i tick the read only or apply an rbac-read only policy.

It is not affecting the admin account. Once i Login, i can still write on ISE.

 

but if i create an internal admin account on ISE. Read only and RBAC policy is working.

Have you encountered this scenario? How to fix this.

 

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

It is possible that you are hitting a defect as RBAC read-only support with external identity sources gained support in ISE 2.3. I would also check the release notes to see if there is a defect listed and if it is resolved in a patch for ISE 2.4. If not, you can contact the TAC to troubleshoot further.

Regards,
-Tim

View solution in original post

3 REPLIES 3
Highlighted
VIP Advisor

Is the AD user only mapped to a single group leveraged in the admin access policy or multiple?

 

I could see ise using first match rather than least privilege for access but I have not tested it.

 

What ise admin groups are you trying to leverage right now? 

Highlighted

I created custom admin groups that have limitation on viewing some menu. - didn't work as external
i tried helpdesk admin group. - still did not work if the account is external.

same username and make it as internal to ISE. - Read only and RBAC Helpdesk admin is working.

is this some kind of a bug? using ISE 2.4 patch none.
Highlighted

It is possible that you are hitting a defect as RBAC read-only support with external identity sources gained support in ISE 2.3. I would also check the release notes to see if there is a defect listed and if it is resolved in a patch for ISE 2.4. If not, you can contact the TAC to troubleshoot further.

Regards,
-Tim

View solution in original post

Content for Community-Ad