Thanks for your reply. Did you have PAN & MnT roles in separate nodes or together ? In my scenario all roles are on separate nodes. After the patch the authentication policies are all gone and I was unable to make any changes to policies. If I roll back the patch it works.

Please make sure you open a tac case

Like Jason suggested, it's best to engage Cisco TAC to troubleshoot. Otherwise, please provide a copy of your ISE 2.3 CFG backup before applying Patch 1.

Hi everyone

Thanks for your responses. I would surely log this with Cisco TAC. But out of curiosity I have setup another LAB and done some tests and have been able to reproduce the problem.

If you deploy 2.3.0.298 and create a Policy Set with some Authentication and Authorization rules and then apply the Patch 1 you would be able to reproduce the error. The default policy set doesn't seem to be affected unless you customized the default policy set. Any customization/addition done to Policy Sets before Patch would be affected. This was a distributed deployment.

If anyone sees the issue please do let me know.

Thanks for your help.

Hi hslai

I tried searching for the bug but it seems I do not have sufficient privileges to view the bug details. Please could you let me know if this would be resolved by Cisco or we would have to use a workaround as you suggested.

According to your workaround shall I modify the Default Policy Set or Default Authentication rule within my custom Policy Set.

My expectation was Cisco would have tested these basic things before releasing a Patch as this would affect significantly in a production environment.

Thanks for your assistance on this.

Please open a TAC case and ask TAC to request for a hot patch.

The bug should become visible in a day or two. Yes, TAC case notes for another customer showed the workaround is to delete the rule and reconfigure it.

Policy Set - Authentication Policy is empty (Null Pointer Exception) if setting 'Deny Access'

CSCvg44615

   Symptom:

ISE Authentication Policy shows no rules.

Conditions:

ISE 2.3 Patch 1

One of the authentication rules, including default, uses "Deny Access" as the identity source.

Workaround:

Delete the affected policy set, reconfigure all authentication policy rules to use an identity source other than "Deny Access".

Hi Favas

Thanks for the bug details. The workaround is difficult in production so I presume not applying Patch 1 is best way forward.

@Randy - that sounds promising.  Just to be clear, does the Patch 1 bug affect Authentication Policies where there is at least one DenyAccess - e.g. below.  If I leave it as is, will something break?

I have tried to make all my Policies as water tight as possible and I don't use defaults - e.g. in the Default Rule I use "Allow_non" as allowed protocols (which is an empty list). And I always put DenyAccess at the end of all my Authorization Policies.

But if that is going to break my policies then I can relax that for the purposes of the patch 1, which I am planning this Thursday.

arne.bier as I understand it, you need to make sure 'DenyAccess' is not applied to any of your 'Authentication Policies'. In the environment I just upgraded, some of the 'Authorization Policies', not all, still had default 'DenyAccess' as last rule. The bug, accordingly to what I read and what TAC told me, only applies to your 'Authentication Policies'.

Hi Arne

I would be a little careful. Because allowed protocols option in v2.3 is at Policy Set Level only. Inside a policy set where you have authencation rules you dont have allowed protocol option anymore.

I would suggest to have a look in a lab at the 2.3 architecture before you upgrade production. Also please ensure you verify this with the experts in the forum.

Thanks