topic Re: ISE admin Group AD users in Network Access Control

ISE admin Group AD users

manvik — Thu, 28 Mar 2024 05:10:29 GMT

I have created an external admin group in ISE, which is pointing to an AD group. There are several users in this AD group.
Will all the users in this AD group gets ISE admin access or can it be restricted to few users.

Re: ISE admin Group AD users

Rob Ingram — Thu, 28 Mar 2024 08:26:47 GMT

@manvik any member of that group would be allowed based on that group membership.

Ideally you should create a new group and add the users that require access into that group.

Re: ISE admin Group AD users

manvik — Thu, 28 Mar 2024 08:53:08 GMT

oops that's shocking, is there any way to control this in ISE.
AD is handled diff department. Creating groups, adding/changing users to that group ha lengthy process and wait period.

Re: ISE admin Group AD users

Rob Ingram — Thu, 28 Mar 2024 08:59:35 GMT

@manvik use individual local accounts in the short term. And also arranage for the other department to create a dedicated AD group for ISE administrator, this is the standard approach of delegating mgmt to ISE administrators.

Re: ISE admin Group AD users

thomas — Thu, 28 Mar 2024 20:06:36 GMT

This should not be shocking - this is the exact reason why group-based access exists and how it works to save you the need to individual manage permissions for 10's/100's/1000's of user accounts.

Re: ISE admin Group AD users

manvik — Tue, 16 Apr 2024 07:23:42 GMT

Guys i tested this in the lab with ISE 2.7 version.

1. Created an AD group in AD and added users (aduser1) to it.
2. Created external Administrator Group in ISE and selected the AD group
3. Logged into the ISE portal with username aduser1
4. Result - Administrator authentication failed

i checked the Admin audit log in ISE. It gave log "Authentication failed due to zero RBAC Groups."

Created another AD user and added in ISE as super admin group. This user was able to login to ISE GUI. I think we can conclude ISE is intelligent enough to deny any AD user from logging to admin GUI portal.

Re: ISE admin Group AD users

Aref Alsouqi — Tue, 16 Apr 2024 10:27:25 GMT

Are you saying that you had to create the admin locally in the AD as well as in ISE local database? if that is the case then I would say there is something wrong as if you point to an AD group for the admin accesses you shouldn't create any local account for those admins.

Re: ISE admin Group AD users

manvik — Tue, 16 Apr 2024 13:06:49 GMT

@Aref Alsouqi, nope. AD user is created in AD only. AD group is called out as an ISE admin group.
User wont be permitted to login to ISE GUI, if it's not created in ISE as an external password user.

Re: ISE admin Group AD users

Aref Alsouqi — Tue, 16 Apr 2024 13:25:40 GMT

Thanks for the clarification. I don't remember ever had to do it that way, usually I connect ISE to AD and create the RBAC policy connecting the specific admin users AD group that would have full permissions.