https://community.cisco.com/t5/network-access-control/ise-admin-access-external-identity-store/m-p/4182133#M563764 <P>solved myself:</P><P>&nbsp;</P><P>the 2. admin-group for user-administration had no entry in the RBAC-Policy</P> Wed, 11 Nov 2020 13:50:48 GMT gaigl 2020-11-11T13:50:48Z https://community.cisco.com/t5/network-access-control/ise-admin-access-external-identity-store/m-p/4182122#M563763 <P>Hello,</P><P>&nbsp;</P><P>we've ISE 2.7 patch 2 and Super Admin Access is authenticated by a AD-Group (external Identity Store), this works without problem.</P><P>We've another Admin Group for an internal user-store, and this group is authenticated also external by another group on AD.</P><P>They login very rarely, but now they can't login anymore (invalid username or password)</P><P>They use this accounts for there daily work, so the accounts are ok</P><P>if I try to change the mapped group to a group where I'm member of, it works neither.</P><P>Under the AD connector the groups are fine, I can retrieve ssid or attributes.</P><P>The same occurs on a standalone ISE and on a Deployment (same Patch-Level)</P><P>&nbsp;</P><P>Any Idea, where I can start the search?</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>Karl</P> Wed, 11 Nov 2020 13:28:50 GMT https://community.cisco.com/t5/network-access-control/ise-admin-access-external-identity-store/m-p/4182122#M563763 gaigl 2020-11-11T13:28:50Z https://community.cisco.com/t5/network-access-control/ise-admin-access-external-identity-store/m-p/4182133#M563764 <P>solved myself:</P><P>&nbsp;</P><P>the 2. admin-group for user-administration had no entry in the RBAC-Policy</P> Wed, 11 Nov 2020 13:50:48 GMT https://community.cisco.com/t5/network-access-control/ise-admin-access-external-identity-store/m-p/4182133#M563764 gaigl 2020-11-11T13:50:48Z