topic Re: ISE Locks Admin Account in Network Access Control

ISE Locks Admin Account

hurricane05 — Tue, 22 Dec 2020 10:12:43 GMT

It seems the original admin account that was used to join our ISE to Active Directory, keeps locking the Active Directory account. Where do we change the admin account in ISE that is used to query and access Active Directory that would have the AD account configured?

Thx in Advance for any assistance given.

Re: ISE Locks Admin Account

Mark Elsen — Tue, 22 Dec 2020 11:16:26 GMT

- Check if this procedure can help , to add new account or to make changes :

https://www.cisco.com/c/dam/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#ID612

Re: ISE Locks Admin Account

ilay — Wed, 23 Dec 2020 05:10:24 GMT

I have tested this problem. First, join all ISE nodes to a test domain controller, then disable the account used for join domains, restart all ISE nodes, after restart, all ISE nodes still in normal state, ise authenticaiton work well too.

After the ISE node join to AD, ISE will appear in the Domain Computers group of the Domain Controller, just like an ordinary windows device is join to the Domain Controller. Although the account is disabled, it does not affect ISE authentication.

If you need to update the username used for join to the AD, you need to disconnect all nodes from the DomainController first, and then rejoin with the new username.(select all ise nodes, click "Leave", type username/password, then click "Join" type username/password again. //The username can be any user who has the permission to join/leave the Domain)

Re: ISE Locks Admin Account

hurricane05 — Wed, 23 Dec 2020 09:23:35 GMT

Thx for the responses everyone as I've been reviewing the possible options. iLay - with the option of having the node leave and re-join the domain, does that affect any of the current policies setup for enforcement or affect existing end points?

Re: ISE Locks Admin Account

ilay — Wed, 23 Dec 2020 10:20:25 GMT

Leave & rejoin the domain will not affect the existing policy settings, but all policies that rely on this "Identity Sources" will not work properly.

Re: ISE Locks Admin Account

hslai — Sun, 27 Dec 2020 04:56:22 GMT

Each ISE PSN is using its AD computer account to perform the regular AD authentications in RADIUS and T+ transactions.

Unless AD domain controllers used as ISE Passive ID providers (WMI or PIC Agent or Endpoint Probes), ISE needs not store the AD user credentials that used to join ISE nodes to AD. If the AD credentials not stored, then we need NOT perform what ilay suggested on leaving and re-joining AD operations, which will disrupt the AD authentications.

Re: ISE Locks Admin Account

hurricane05 — Sun, 27 Dec 2020 10:07:30 GMT

Thx for the input Hslai. Being that I jut took over this ISE system and previous administrator is no longer with the organization, is there a way to check to the configuration either through the gui or cli to see if when the node was joined to the domain, the option to store the AD credentials was selected? And if it was, is there an option to remove that without disrupting the communications with AD? This is a single node running all the individual node components.

Thx in advance for any response provided.

Re: ISE Locks Admin Account

hurricane05 — Thu, 31 Dec 2020 11:24:10 GMT

Hi Hslai,

I looked a little further in the ISE Passive ID and noticed the below settings. So would this be the issue that may be occurring here since the account that is listed here is the one that is constantly locking up and should replace this account with the new one?

Re: ISE Locks Admin Account

hslai — Fri, 01 Jan 2021 04:24:18 GMT

Yes, you are correct.