cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6426
Views
3
Helpful
7
Replies

ISE 2.3 Admin account is locked periodically

alyautdinov
Level 1
Level 1

Hello Team

We have faced with issue with internal ISE admin.

This user is periodically (several times in a day) locked after several failed authentication attempt.

But no one uses this account.

The IP address from which the admin "login" is the IP address of ISE.

In which logs we can saw where this user try to login?

Thanks

1 Accepted Solution

Accepted Solutions

Try updating the default admin with a new username. If it continues happening, please engage Cisco TAC.

View solution in original post

7 Replies 7

Joseph Johnson
Level 1
Level 1

Go to Operations > Reports > Reports > Audit > Administrator Logins. You can run that report and it will show where the login (IP address) was coming from. Look for "Administrator authentication failed" events.

Yes, I know that.

The login attempt coming from ISE PAN node (the same IP)

I want to know where this user is trying to login and why

Is there any log in the CLI where I can find this?

Most likely it is your vulerability scanner if you have one.  They will try to break into systems using common usernames, admin, root, etc., and common passwords.  Did you turn off account lockout?

Hi

We don't have scanner. And we can't disable account lockout

The source IP address from which the login attempt is going is the IP address of the Cisco ISE PAN node

Try updating the default admin with a new username. If it continues happening, please engage Cisco TAC.

could you please tell me what you did ? I have the same issue .

Hi

We renamed the admin account to "ise-admin"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: