topic Re: ISE 2.6 CLI Access through External Identity Store in Network Access Control

ISE 2.6 CLI Access through External Identity Store

JP_Berlin — Fri, 06 Dec 2019 15:15:28 GMT

Hi community,

I want to configure my AD as an external identity source for ISE CLI access. The only documentation I've found so far is this:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_0101.html#id_99029

Maybe it's just me but in my opinion it doesn't cut it. Can anyone point me to a more comprehensive documentation? If it does not exist, I think we should create it!

Thanks,

Jonathan

Re: ISE 2.6 CLI Access through External Identity Store

Colby LeMaire — Fri, 06 Dec 2019 15:58:21 GMT

Within Active Directory, you can edit attributes for a particular user account. The documentation is saying to modify the "gidNumber" and "uidNumber" attributes in Active Directory for the account you want to use as the CLI Admin User. ISE will read those attributes to ensure the user is authorized to be a CLI Admin. These attributes are not used by Active Directory and are not set by default. So you can find your user within AD and go to Properties. Then select "Attribute Editor" to see/edit attributes. If you don't see the "Attribute Editor" tab, then you need to go to View and select the option for "Advanced". Then open Properties again and it will be there. Following are screenshots showing you the default settings for a user in AD for "gidNumber" and "uidNumber":

Re: ISE 2.6 CLI Access through External Identity Store

hslai — Sun, 08 Dec 2019 18:22:11 GMT

Colby.LeMaire is correct.

Attached is the section of our ISE 2.6 Update lab guide on this feature.

I also opened a doc bug to ask the admin and cli guides updated. CSCvs37998

Re: ISE 2.6 CLI Access through External Identity Store

JP_Berlin — Mon, 09 Dec 2019 10:54:06 GMT

Super helpful, thanks a lot for this description! I have it now running in my lab...

Re: ISE 2.6 CLI Access through External Identity Store

JP_Berlin — Mon, 09 Dec 2019 11:04:10 GMT

Thanks a lot for opening the defect. I really appreciate the effort by Product Management on this forum 👍🏻

Some feedback on the feature: I like it and I could make it run in a couple of minutes with this descriptive guide. I just hope we can avoid to rejoin the ISE node from the GUI in the future..

Re: ISE 2.6 CLI Access through External Identity Store

Sp@wn — Tue, 02 Jun 2020 09:54:50 GMT

Hello @hslai ,

Is it not necessary to create any tacacs + rules on the ISE using the "gidNumber" and "uidNumber" parameters configured on the Active Directory side, except for active directory integration from the command line?

Re: ISE 2.6 CLI Access through External Identity Store

hslai — Wed, 03 Jun 2020 16:24:42 GMT

Sp@wn ISE CLI Admin access is NOT using ISE T+ so no relationships to ISE T+ rules. I am guessing you are thinking about the admin CLI of Cisco PI, which allows T+.

Re: ISE 2.6 CLI Access through External Identity Store

Sp@wn — Wed, 03 Jun 2020 18:17:51 GMT

I am trying to understand how ISE decide the user is a CLI admin with full administrative role privilege or CLI user with read-only role privileges. where is the ISE uses these uidNumber and gidNumber values?

Re: ISE 2.6 CLI Access through External Identity Store

matthew.shelley — Fri, 24 Jul 2020 01:05:22 GMT

From https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_0101.html#id_99029

Assign gidNumber as 110 or 111.
GidNumber 110 denotes an admin user whereas 111 denotes a read-only user.

Re: ISE 2.6 CLI Access through External Identity Store

Sp@wn — Fri, 24 Jul 2020 08:18:58 GMT

I am trying to understand the configuration made on ISE side for the CLI Access through External Identity Store. I read the document you shared. I did not see a configuration example related with GidNumber on the ISE side, but I encountered the following contradictory statement.

Administrators who belong to a Super Admin group, and are configured to authenticate and authorize using an external identity store, can also authenticate with the external identity store for CLI access.

Note

You can configure this method of providing external administrator authentication only via the Admin portal. The Cisco ISE Command Line Interface (CLI) does not feature these functions.