Cisco Bug: CSCvt74530 - Authorization Policy should not need attributes for AD user if they are not being used in Conditions
Apr 14, 2020
- Cisco Identity Services Engine
Known Affected Releases
Symptom: You might see RADIUS logs like this: 24323 Identity resolution detected single matching account 24355 LDAP fetch succeeded - domain.com 24416 User's Groups retrieval from Active Directory succeeded - CompanyAD 24356 LDAP fetch failed - domain.com,ERROR_LDAP_SERVER_DOWN 24419 User's Attributes retrieval from Active Directory failed - CompanyAD 15048 Queried PIP - CompanyAD.ExternalGroups (31 times) 15016 Selected Authorization Profile - DenyAccess As you can see groups fetch was successful & attributes fetch failed, and even though the AuthZ rule only checked for AD group, we still didn't match that rule and instead matched the Default-DenyAccess Rule. Conditions: Have no attribute (AD group is fine) as a AuthZ condition. AND attribute fetch fail for the given user.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases