Guest

Preview Tool

Cisco Bug: CSCvt74530 - Authorization Policy should not need attributes for AD user if they are not being used in Conditions

Last Modified

Apr 14, 2020

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

2.6(0.156)

Description (partial)

Symptom:
You might see RADIUS logs like this:

24323    Identity resolution detected single matching account
24355    LDAP fetch succeeded - domain.com
24416    User's Groups retrieval from Active Directory succeeded - CompanyAD
24356    LDAP fetch failed - domain.com,ERROR_LDAP_SERVER_DOWN
24419    User's Attributes retrieval from Active Directory failed - CompanyAD
15048    Queried PIP - CompanyAD.ExternalGroups (31 times)
15016    Selected Authorization Profile - DenyAccess

As you can see groups fetch was successful & attributes fetch failed, and even though the AuthZ rule only checked for AD group, we still didn't match that rule and instead matched the Default-DenyAccess Rule.

Conditions:
Have no attribute (AD group is fine) as a AuthZ condition.
AND
attribute fetch fail for the given user.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.