topic Cisco ISE "Unknown" Super Admin Member in Network Access Control

Cisco ISE "Unknown" Super Admin Member

alex.f. — Wed, 08 May 2024 20:03:20 GMT

Hi,

I am tasked with the initial configuration of an ISE deployment (primary/secondary).

During the AD join and enabling AD admins to access the GUI via External Identity Source I see two members in the Admin group -> Super Admin.

First -> admin2 (this is the admin user added by the customer during installation)

Second -> ~internal-edda-ers-user991

I don't know this user and it looks like some kind of "system API account".

So. for now I'm clueless and I can't find any helpful information.

Can anyone explain to me how this user is created?

What service does this account use?

Re: Cisco ISE "Unknown" Super Admin Member

Arne Bier — Wed, 08 May 2024 21:29:14 GMT

Those are local admin accounts that are not created as part of a default ISE install - looks like those were manually created.

They also have nothing to do with your AD integration. Are you asking whether to remove them, or what they might be for?

The "ers" in the 2nd username does seem to relate to some kind of API user. There is an ERS User Group that limits the access for those types of accounts - you don't want people logging in with that account - it should be limited to making REST API calls only.

You can have a mix of local ISE Admin users, as well as AD Admin users. During the ISE Web GUI login, the default screen will display option to login with the AD Join accounts, but you can select "local accounts" from the drop down. You will always have at least one local ISE Admin user account to log into the GUI in the event that the AD join is not working. Or as a last resort option. It's also a useful account for things like Cisco DNAC/ISE integration. But you can create multiple ISE local admin accounts and it's a good practice to have

During an ISE install, the first (default) ISE user is called 'admin'. Perhaps someone thought they were being more security conscious and chose the username 'admin2'. But that is just a guess.

As for the second username, perhaps someone in your organisation is making API calls to ISE, using the ERS interface. You should be able to run an Operations audit report to see if that user has logged in in the last 30 days.

Re: Cisco ISE "Unknown" Super Admin Member

Greg Gibbs — Wed, 08 May 2024 23:02:59 GMT

Actually, there are some internal Super Admin user accounts that are created automatically in newer versions of ISE for some of the more recent feature enhancements. Here is an example screenshot from my ISE 3.2 patch 5 instance:

The 'edda' reference is related to the pxGrid Direct feature and the 'mctrust' reference is related to the Meraki Sync Service feature. I believe both of these functions run as Docker containers, so I suspect these are internal admin accounts used for authentication of internal communications related to those container microservices.