cisco ISE limitation ***READ***

Started by LynK, February 04, 2016, 03:28:30 PM

Previous topic - Next topic

LynK

quick update from our Cisco SE

Quotejust heard from the BU that they are planning on DenyAccess for the release coming this summer.  It is now committed, but I know that's a little late for this initial implementation.
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

wintermute000


LynK

here it is boys:

QuoteCSCuy46322  DefaultDeny access present in ACS is missing in ISE's TACACS feature.
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

deanwebb

:ckfacepalm:

How do they miss something like that?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

LynK

your guess is as good as mine.

Funny but not so funny update.

You can restrict to enable mode on IOS. On nexus even if you set the permissions level to 0, they can still get into config mode.... sigh.
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

Dieselboy

Oh I'm glad I'm not the only one that finds things out like this that completely throws you as to how or why it was not included initially. A real head scratcher.

:wall:

wintermute000

I love how the bug report says FIXED but doesn't tell you which version is fixed! link goes straight to standard download portal, not the fixed version.

Ctrl Z

Cisco must not have tested it very well to let that little mistake slip through to production. We were told not to migrate our TACACS+ functions to ISE 2.0 because of issues, but that was because we already have existing ACS infrastructure.

Perhaps you can use a temporary workaround until Cisco releases a fix. Not sure if this will work with your ISE implementation, but you could adjust the dACL applied to your users that would permit/deny connectivity to the network devices. So members of the Network Engineer group get IP connectivity to the network devices, then your device administration policies will handle authorization. Users who are not members of the Network Engineer group get a dACL that denies IP connectivity to your network devices so they never end up hitting the device administration authentication policy at all.