RBAC Admin gets full access on Cisco ISE 2.4

abhijith891 · ‎06-06-2018

Hello everyone,

I am creating an RBAC admin for a particular router; but he ends up getting access to all other firewalls as well. Now I am not sure how this is happening; so here are the steps which i followed.

1) Created a User-Group ; created the user and then assigned that user to that group.

2) Command Sets - default; Shell Profile - Max & Default Privilege = 15

2) Created a policy set and applied the condition to extract that device.

3) Authentication - default

4) Authorization - Conditions(user group) + [Command Sets + Shell Profile]

When i login to that particular router; i am getting a hit count on that authentication & authorization policies... but i am also able to access the firewalls and other devices with that username/password. When I checked the TACACS live logs; its showing that the login is allowed by All-Firewall>>Default and the shell profile as Security Device Admin. So can someone please help me out on this?

Timothy Abbott · ‎06-06-2018

It sounds like the account is also matching on the “All-Firewalls” policy set. You will have to modify your policy.

Regards,

-Tim

abhijith891 · ‎06-07-2018

Hello Timothy,

Thats exactly where the problem is. I am not able to figure out what options to use to filter out the traffic. So can you please suggest me the steps?

hslai · ‎06-08-2018

Please ensure the RBAC admin policy set is before that of All-Firewalls, and provide screenshots on the two policy sets. ISE T+/RADIUS policies are both top-down and first matched.