cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

69
Views
5
Helpful
2
Replies
Highlighted
Beginner

'admin' account to auth to network devices via TACACS

Hello, 

 

Is there a way to delete the admin (Super User) account in ISE 2.4?

 

Some of our switches are configured with local 'admin' account and the idea was to move the auth to ISE but still use the admin account. It seems that there is no way to configure the authentication policy to use Super Users group and there is no way to delete this ;'admin' account. 

 

Has any one seen this before or tried to use 'admin' for anything else other than management of ISE?

 

Thanks.

 

-kp

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: 'admin' account to auth to network devices via TACACS

You can disable the ISE “admin” account if you create another Admin account and make it a part of the Super Admin group. You will have to logout after you create this account and login with the new super admin account you created and then you will be able to disable this “admin” account on the ISE. You cannot delete it though. Disabling essentially will have the same effect unless you plan to have an internal user(not an administrator account) with the username “admin”.
2 REPLIES 2
Cisco Employee

Re: 'admin' account to auth to network devices via TACACS

You can disable the ISE “admin” account if you create another Admin account and make it a part of the Super Admin group. You will have to logout after you create this account and login with the new super admin account you created and then you will be able to disable this “admin” account on the ISE. You cannot delete it though. Disabling essentially will have the same effect unless you plan to have an internal user(not an administrator account) with the username “admin”.
VIP Engager

Re: 'admin' account to auth to network devices via TACACS

The only caveat I will add here is that if you create other INTERNAL Admin Accounts of type super-admin then they are equivalent in power to the default built-in admin account. 

 

But if you are using AD to log into your ISE Admin GUI, and you assign those users the same super-admin role, then those users have slightly limited power - they cannot delete ANY INTERNAL users. 

You can't even delete users that you have created yourself, while logged into the GUI (authenticated with AD credentials)!!

 

AD Authenticated admins are not so much of a Super-Admin after all ;-) - I don't think this is by design (i.e. bug). 

 

This is a bit of a side note, and therefore I have to log in as a local user to delete any users that I may have (e.g. local ERS accounts)