https://community.cisco.com/t5/network-access-control/cisco-ise-1-1-2-145-admin-authentication-using-ldap/m-p/2452548#M88298 <HTML><HEAD></HEAD><BODY><P>Aastha: <SPAN style="font-size: 10pt;">How did you manage to display Identity Sources on the Login Page? I am using Super Admin account and the portal login doesn't have this menu/drop down with Identity Sources listed.</SPAN></P><P></P><P>Thanks for your help.</P><P></P><P>Srinivas</P></BODY></HTML> Thu, 06 Feb 2014 21:09:44 GMT srinivas_mukhyla 2014-02-06T21:09:44Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-1-2-145-admin-authentication-using-ldap/m-p/2452545#M88295 <P>I have configured the LDAP and able to retrive our LDAP directory structure. Now, I am trying to point the 'Admin Access' authentication to "External Identity" Source which is the new LDAP IS I created. But I couldn't find an option to authenticate locally if for any reason the LDAP configuration doesn't work. I learnt that ISE can automatically revert to local auth provided the External Idenitity sources are unreachable. How can I test the LDAP authentication with out breaking our Admin Access? I thought of opening two parallel sessions, one with Super Admin Local Account and the other with Domain account. But I noticed that ISE communication is smart enough to logoff/login any other sessions in different browsers so basically I can't open two parallel sessions from same machine to do the tests. Suggestions? or Am I missing something here?</P><P></P><P>Many thanks in advance.</P> Mon, 11 Mar 2019 04:21:36 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-1-2-145-admin-authentication-using-ldap/m-p/2452545#M88295 srinivas_mukhyla 2019-03-11T04:21:36Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-1-2-145-admin-authentication-using-ldap/m-p/2452546#M88296 <HTML><HEAD></HEAD><BODY><P>Srinivas,</P><P></P><P>Do you have users authenticating 24 hours a day?&nbsp; If not, then set up an off-hours experiment.</P><P></P><P>Set the Admin Access Authentication Method to LDAP and log out then back in to the ISE.</P><P></P><P>Once you verify this works, disconnect the ISE from the network and connect it to a switch between just it and your PC.&nbsp; Try to log in.&nbsp; Use both the LDAP and Internal Admin User credentials.&nbsp; </P><P></P><P>Verify which one works, reconnect the ISE to the main network and post your findings here.</P><P></P><P>If you do have 24 hour authentications, you may want to set up a test lab with a VM to research this.</P><P></P><P>Sorry, but I cannot find any definitive documentation on this.</P><P></P><P>Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.&nbsp; Otherwise, feel free to post follow-up questions.</P><P></P><P>Charles Moreton</P></BODY></HTML> Thu, 06 Feb 2014 15:36:19 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-1-2-145-admin-authentication-using-ldap/m-p/2452546#M88296 Charlie Moreton 2014-02-06T15:36:19Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-1-2-145-admin-authentication-using-ldap/m-p/2452547#M88297 <HTML><HEAD></HEAD><BODY><P>Hi Srinivas,</P><P></P><P>Even if you set up LDAP as an External Identity source for admin access, you can still fallback to Internal without getting locked out. As per the ISE user guide :</P><P></P><P>During operation, Cisco ISE is designed to "fall&nbsp; back" and attempt to perform authentication from the internal identity&nbsp; database, if communication with the external identity store has not been&nbsp; established or if it fails. <STRONG>In addition, whenever an administrator for&nbsp; whom you have set up external authentication launches a browser and&nbsp; initiates a login session, the administrator still has the option to&nbsp; request authentication via the Cisco ISE local database by choosing&nbsp; "Internal" from the </STRONG><STRONG>Identity Store drop-down selector in the login dialog. </STRONG></P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_identities.html#wp1351543" rel="nofollow">http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_identities.html#wp1351543</A></P><P></P><P>Please refer to the attached screenshot from my lab ISE:</P><P></P><P><IMG /></P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/1/7/0/180071-AdminAuth.jpg" alt="AdminAuth.jpg" class="jive-image-thumbnail jive-image" onclick="" width="450" /><IMG /></P><P>I have configured admin authentication against AD, but I still see both "Internal" and "AD" at the time of login.</P><P></P><P>Hope this helps.</P><P></P><P>Thanks,</P><P>Aastha</P></BODY></HTML> Thu, 06 Feb 2014 17:30:42 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-1-2-145-admin-authentication-using-ldap/m-p/2452547#M88297 Aastha Chaudhary 2014-02-06T17:30:42Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-1-2-145-admin-authentication-using-ldap/m-p/2452548#M88298 <HTML><HEAD></HEAD><BODY><P>Aastha: <SPAN style="font-size: 10pt;">How did you manage to display Identity Sources on the Login Page? I am using Super Admin account and the portal login doesn't have this menu/drop down with Identity Sources listed.</SPAN></P><P></P><P>Thanks for your help.</P><P></P><P>Srinivas</P></BODY></HTML> Thu, 06 Feb 2014 21:09:44 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-1-2-145-admin-authentication-using-ldap/m-p/2452548#M88298 srinivas_mukhyla 2014-02-06T21:09:44Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-1-2-145-admin-authentication-using-ldap/m-p/2452549#M88299 <HTML><HEAD></HEAD><BODY><P>Srinivas,</P><P></P><P>You will see this option when you have enabled AD or any other external Identity Source for Admin authentication. You can find this setting from ISE GUI under Administration &gt; System &gt; Admin Access &gt; Authentication &gt; Authentication Method.</P><P>Under Password Based authentication, the Identity Source is set to Internal by default. Once you change it to AD, or LDAP, you will start seeing that ID source on the login dropdown.</P><P></P><P>Thanks,</P><P>Aastha</P></BODY></HTML> Thu, 06 Feb 2014 21:34:16 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-1-2-145-admin-authentication-using-ldap/m-p/2452549#M88299 Aastha Chaudhary 2014-02-06T21:34:16Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-1-2-145-admin-authentication-using-ldap/m-p/2452550#M88300 <HTML><HEAD></HEAD><BODY><P>Aah! Thats what I was concerned to change thinking that if I change it and if it doesnt work, I might loose Admin Access to it. Thanks much, Aastha. I will have to schedule a change and get this done. I will keep you posted on the progress.</P><P></P><P>Many thanks once again.</P></BODY></HTML> Fri, 07 Feb 2014 16:23:40 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-1-2-145-admin-authentication-using-ldap/m-p/2452550#M88300 srinivas_mukhyla 2014-02-07T16:23:40Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-1-2-145-admin-authentication-using-ldap/m-p/2452551#M88301 <HTML><HEAD></HEAD><BODY><P>You're welcome Srinivas! Let me know how it goes.</P><P></P><P>Thanks,</P><P>Aastha</P></BODY></HTML> Fri, 07 Feb 2014 18:50:44 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-1-2-145-admin-authentication-using-ldap/m-p/2452551#M88301 Aastha Chaudhary 2014-02-07T18:50:44Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-1-2-145-admin-authentication-using-ldap/m-p/2452552#M88302 <HTML><HEAD></HEAD><BODY><P> It worked! Thanks a ton, Aastha.</P><P></P><P>Charles: Thanks for your tips as well. </P></BODY></HTML> Fri, 21 Feb 2014 16:47:36 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-1-2-145-admin-authentication-using-ldap/m-p/2452552#M88302 srinivas_mukhyla 2014-02-21T16:47:36Z