topic Re: ISE Prime integration superuser admin in Network Access Control

ISE Prime integration superuser admin

jan.murin — Mon, 02 Mar 2020 10:16:27 GMT

Hi,

didn't find the answer anywhere so would like to ask if someone knows why the Prime needs a superuser admin for the integration. The Prime server should only read some data from ISE, so I thought a Read-only admin would be enough.

Many customers have problem to add the superuser rights to such a user so a good explanation would be great.

Thanks a lot.

Re: ISE Prime integration superuser admin

Marvin Rhoads — Mon, 02 Mar 2020 11:55:41 GMT

Are you asking about integration with Active Directory (AD)? If so, no AD admin user account is required - only one with the ability to join the ISE nodes to the domain as domain computers and then only during initial configuration.

Re: ISE Prime integration superuser admin

jan.murin — Mon, 02 Mar 2020 13:08:20 GMT

Hi Marvin,

thanks for the reply. I am talking about the integration of Cisco ISE with the Prime infrastructure.

A local admin account in ISE is required and that admin has to be superuser. I do not understand why such privileges are needed.

Thanks

Re: ISE Prime integration superuser admin

Marvin Rhoads — Mon, 02 Mar 2020 13:55:38 GMT

I suspect it is because the developers did not take the trouble to dig deeply into the Role-Based Access Control (RBAC) capabilities of ISE. Rather than define the exact data fields/types and roles necessary to integrate, it was easier for them to just say to use a superuser account.

Re: ISE Prime integration superuser admin

jan.murin — Mon, 02 Mar 2020 14:16:13 GMT

Thanks Marvin, that's what I thought.

That's not good and I understand that the customers don't like it.

Re: ISE Prime integration superuser admin

Murinos — Thu, 19 Mar 2020 13:13:14 GMT

Have same question here.

Customer with highly secure environment doesn't want to allow any unnecessary superuser access to ISE . Especially since there is no explict documentation neither in ISE configuration guides or PI configuration guides...

Also there is no explanation, how does PI interacts with ISE - ports or protocols we should open on firewalls seems to be investigated by packet capture...

Re: ISE Prime integration superuser admin

Marvin Rhoads — Thu, 19 Mar 2020 13:29:13 GMT

Ports and protocols I can answer - it is tcp/443 transporting TLS 1.2 (unless you have some really old unsupported releases in which case it's TLS 1.1).

Re: ISE Prime integration superuser admin

Murinos — Thu, 19 Mar 2020 13:34:47 GMT

Thanks a lot for that!

Is there any references in documentation? Unfortunately, we can't just refer to Cisco community, customer's security department need a proof for every ACL created...

Re: ISE Prime integration superuser admin

Marvin Rhoads — Thu, 19 Mar 2020 14:50:26 GMT

The ISE server is added from the PI side. When you do that, the port is shown in the GUI:

Additionally you can easily run tcpdump on the ISE node (Operations > Troubleshoot > Diagnostic Tools) and see the traffic. Packet capture doesn't lie, no matter what the guides show (or don't show).

Re: ISE Prime integration superuser admin

Murinos — Fri, 20 Mar 2020 18:28:36 GMT

Marvin, thank you very much!

Re: ISE Prime integration superuser admin

hslai — Mon, 23 Mar 2020 20:16:23 GMT

Since ISE 2.0, the user could be one of the following ISE admin user roles:

SUPER_ADMIN,SYSTEM_ADMIN,MNT_ADMIN

Re: ISE Prime integration superuser admin

Murinos — Thu, 09 Apr 2020 07:37:52 GMT

Hello @hslai ,
Cisco TAC says that it is not possible:

Please be advised that the credentials should be superuser credentials local to ISE. Otherwise, ISE integration does not work.

May you please give any screenshots to proof it works? We have a ssh issue connecting PI to ISE(the reason to ask TAC for help) and we can't test it ourselves.

Thanks a lot!

Re: ISE Prime integration superuser admin

hslai — Thu, 09 Apr 2020 16:57:36 GMT

... We have a ssh issue connecting PI to ISE(the reason to ask TAC for help) and we can't test it ourselves.
...

PI does not connect to ISE via SSH AFAIK. Only Cisco DNA Center requires ssh to ISE.

Introduction to the Monitoring REST APIs is where we documented the admin role requirements due to CSCur87193, which is not customer visible due to lack of a release-note-enclosure. We were supposed to be documented in ISE compatibility matrix but somehow the info lost and our BE is not regularly testing ISE integration with PI.

IIRC we tested it successfully with ISE 2.0/2.1 and PI 3.1 in CY2016. As that is 4 years ago, the setup is no longer available.

Re: ISE Prime integration superuser admin

Murinos — Thu, 09 Apr 2020 17:10:10 GMT

@hslai Thank you for clarification! That's inspiring. Will post what we'll be able to do.

SSH - my fault, I meant TLS of course.

Re: ISE Prime integration superuser admin

Murinos — Mon, 09 Nov 2020 12:56:59 GMT

Hi hslai,

We made it work, thanks to you!

We have added ISE to PI using MnT Admin user role instead of Super Admin.