topic RBAC controls for ISE M&T node in Network Access Control

RBAC controls for ISE M&T node

mpeeters — Thu, 09 Mar 2017 19:53:46 GMT

Can you please confirm if a Cisco ISE MnT node can and should join Active Directory. All other nodes in the 'cube' for a 2.1 deployment have joined AD. There is typically no need for an MnT node to join AD... except that we are using AD integration for RBAC and when you login to the MnT node GUI you cannot using AD credentials.

Is there the concept of RBAC for local GUI access to the ISE M&T node itself ? If so how in the ISE M&T node joined to AD ? If not what credentials are used for the local ise M&T node administration access ?

Thx

Re: RBAC controls for ISE M&T node

Charlie Moreton — Thu, 09 Mar 2017 20:08:14 GMT

Typically, you do not have to log in to the MnT node itself. Everything is handled through the Admin Portal on the Primary Admin Node.

To join MnT to the domain, you can do it the same way you join all other nodes. Navigate to Administration > Identity Management > External Identity Sources > Active Directory, select your AD entry and then choose the node you want joined and click the Join button.

This allows for your RBAC to controll ALL logins to ALL ISE nodes without the need for additional rules to account for local access/accounts.

Re: RBAC controls for ISE M&T node

hslai — Sat, 11 Mar 2017 03:12:23 GMT

Adding to Charles, Administrative Access to Cisco ISE Using an External Identity Store says,

...

During the authentication process, Cisco ISE is designed to “fall back” and attempt to perform authentication from the internal identity database, if communication with the external identity store has not been established or if it fails. In addition, whenever an administrator for whom you have set up external authentication launches a browser and initiates a login session, the administrator still has the option to request authentication via the Cisco ISE local database by choosing “Internal” from the Identity Store drop-down selector in the login dialog.