cisco ISE limitation ***READ***

[LynK]

quick update from our Cisco SE

just heard from the BU that they are planning on DenyAccess for the release coming this summer.  It is now committed, but I know that's a little late for this initial implementation.

[wintermute000]

Thanks for update

[LynK]

here it is boys:

CSCuy46322  DefaultDeny access present in ACS is missing in ISE's TACACS feature.

[deanwebb]

How do they miss something like that?

[LynK]

your guess is as good as mine.

Funny but not so funny update.

You can restrict to enable mode on IOS. On nexus even if you set the permissions level to 0, they can still get into config mode.... sigh.

[Dieselboy]

Oh I'm glad I'm not the only one that finds things out like this that completely throws you as to how or why it was not included initially. A real head scratcher.

[wintermute000]

I love how the bug report says FIXED but doesn't tell you which version is fixed! link goes straight to standard download portal, not the fixed version.

[Ctrl Z]

Cisco must not have tested it very well to let that little mistake slip through to production. We were told not to migrate our TACACS+ functions to ISE 2.0 because of issues, but that was because we already have existing ACS infrastructure.

Perhaps you can use a temporary workaround until Cisco releases a fix. Not sure if this will work with your ISE implementation, but you could adjust the dACL applied to your users that would permit/deny connectivity to the network devices. So members of the Network Engineer group get IP connectivity to the network devices, then your device administration policies will handle authorization. Users who are not members of the Network Engineer group get a dACL that denies IP connectivity to your network devices so they never end up hitting the device administration authentication policy at all.