topic Authentication admin user with AD in Network Access Control

Authentication admin user with AD

eric.lessard — Mon, 11 Mar 2019 03:17:38 GMT

hey!

Am having an issue with admin groups.

am trying to do en external authentication with AD users but fails with a : Authentication failure for user: Eric : No admin groups

All seems fine, autorisation policy, Menu acces, Data access AD group binding with ISE Super Admin group

My user is ok on AD ( not locked, expired or anything )

Anyone got that problem before?

Thx

Authentication admin user with AD

Jatin Katyal — Thu, 11 Apr 2013 00:38:22 GMT

Possible defect.

CSCud31796 ISE - External RBAC fails if user member of group containing apostrophe

Symptom:

RBAC utilizing an external identity store (AD, LDAP) group mapping fails for a user with the correct group(s) to gain access to the ISE GUI. The following message will be displayed:

"Authentication failure for user: username : No admin groups"

Conditions:

The user is a member of a group which contains the apostrophe character.

Workaround:

No workaround exists within ISE.

1. Rename all groups in the external identity store such that they do not contain apostrophes

2. Remove users participating in ISE administration from any external groups that contain apostrophes

Jatin Katyal
- Do rate helpful posts -

Authentication admin user with AD

Zachary McGibbon — Fri, 12 Apr 2013 14:49:45 GMT

I'm having a similar issue, however my AD group doesn't have any apostrophe charachters. The only 'non standard' characters it has is some spaces " " and a "&" symbol, could this cause the same problem?

Re: Authentication admin user with AD

eric.lessard — Fri, 12 Apr 2013 17:39:09 GMT

Hello Zach,

My groups didnt have an apostrophe but my OU did...

mydomain.local/admin groups/doesn't need auth/ISe_admin ( kinda group )

i dont wanna replace Cisco TAC teams but:

1. Log into ISE using a working admin user and navigate to Administration > System > Logging > Debug Log Configuration

2. Select the admin node from the "Node list" on the right and click the "Edit" button

3. Turn up the logging level of the "nfs" and "identity-store-AD" components (click on the current log level and change it to TRACE)

4. Try to log in using the failing user.

5. Navigate to Operations > Troubleshoot > Download Logs and select your admin node

6. Click the "Debug Logs" item in the right pane

7. Download the file "ise-psc.log" search for the last auth fail with yur user

Thats how i did find my problematic groups.

I asked the tac engeneer to update the CSCud31796 to include the OU names, not only groups

Hope that help

by the way:

1- will be fixed in release 1.2

2- the apostrophe actually stop the group membership comparaison

3- didnt test it yet but i suspect that any comparason rules, aka memberof in any policy.. wont work because of that

to fix that, in addition to Jatin Comments, you could put yur user in the TOP level groups lets say: mydomain.local/admin groups/1-admin_ise

this way, the appostrophe wont be hit before matching the rule.

Thx to Jatin Also

Bye

Ce message a été modifié par: Eric Lessard

Re: Authentication admin user with AD

eric.lessard — Fri, 12 Apr 2013 17:49:55 GMT

Thx Jatin!

see my comment below... do you know if in fact it would also impact any policy rules based on membership ? or is it only affecting admin access?

Authentication admin user with AD

Jatin Katyal — Thu, 18 Apr 2013 01:52:49 GMT

sorry for any delay!

Well I did read user Auth fail on Authorization Policy when rule contain group with special character.

This problem exist in ACS 5.x as well.

Jatin Katyal

- Do rate helpful posts -