topic Re: AD Protected Accounts not supported with ISE in Network Access Control

AD Protected Accounts not supported with ISE

arennick — Mon, 25 Apr 2022 16:27:07 GMT

Windows domain admin users are not able to authenticate via ISE with AD when logging on to troubleshoot a remote PC. It looks like this is due to a bug "AD Protected Accounts not supported with ISE."

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy39859

I imagine that this must be causing problems with the workflow of other organizations as well. Has anyone found a creative workaround?

Re: AD Protected Accounts not supported with ISE

flobo — Wed, 29 Mar 2023 20:42:56 GMT

Hi,

Does anyone have more information regarding AD protected users? I have a customer that is facing problems authentication with this type of users. In the bug there isn't any information.

Regards

Re: AD Protected Accounts not supported with ISE

thomas — Mon, 03 Apr 2023 03:39:47 GMT

Please be very specific about your scenario.

Is this an 802.1X authentication on a Windows computer?

What is the Windows group that the user is a member of that is not working?

What is the specific error in the ISE LiveLog?

Re: AD Protected Accounts not supported with ISE

flobo — Mon, 03 Apr 2023 23:00:16 GMT

Hi,

It's for ISE administration. The user isn't able to login in to the ISE GUI, the user is able to login within other applications.

We get this logs from the ISE:

Event: Administrator authentication failed

Event Details: Authentication failed due to invalid user or password, or account is disabled/locked

Also if we test the user from ISE within Test User Authentication with Authetication Type: MS-RPC, we get this log:
RFC Logon request faildes = STATUS_ACCOUNT_RESTRICTION,ERROR_LOGON_FAILURE

I'm not familiar with AD and we don't handle it. What we know is that this user is a protected user.

Thanks

Re: AD Protected Accounts not supported with ISE

thomas — Sat, 08 Apr 2023 22:34:56 GMT

Ah, ok, thank you for those details! That helps!

Since this is a known bug, perhaps by using a different AD Administrator Group that those same admins are members of?

I show how to configure the mapping of AD groups to ISE Admin Groups in

▷ ISE Initial Setup and Operations

33:53 RBAC Policy
34:08 Admin Groups and Roles
35:38 Admin Users
36:25 Use Active Directory External Identity Store for Admin Groups
40:02 Map AD Groups to ISE Admin Groups
42:16 NetworkDeviceAdmin Role Test

Re: AD Protected Accounts not supported with ISE

neaugust — Tue, 11 Apr 2023 10:26:28 GMT

Test message 3

Re: AD Protected Accounts not supported with ISE

flobo — Tue, 11 Apr 2023 14:55:48 GMT

The AD team modified the users to be "normal users", now these users can authenticate and login ISE without problems.

Thank you for your help.

Re: AD Protected Accounts not supported with ISE

PetrVyhlidal1489 — Tue, 05 Sep 2023 13:45:18 GMT

It is painful for us too. For security reasons ( some of them are nicely described here Windows Server: Protected Privileged Accounts - Petri IT Knowledgebase ), our admins have administrative accounts in Protected users group. It means, that authentication over MS-RPC is prohibited for that users. Since ISE needs MS-RPC " by design"(CSCvy39859 : Bug Search Tool (cisco.com)) for communicating with AD, those users could not be authenticated. I Think, giving up higher security standard ( recommended by Microsoft in connection with tiering) by moving admins from protected accounts to standard accounts is no solution. It would be really nice, if Cisco solved this issue.