active directory users unable to make API calls to the ISE.

network_geek1979 · ‎10-11-2022

Team,
We created a active directory users and are using this as an account to make API calls to the ISE. However, this does not work as intended and I get a "401 Unauthorized" error.

However, if I create a local user in ISE this works fine.

The way we have done this is:
1. Created the account in the Active Directory.
2. Created this account in Administration --> Identity Management --> Users. This is under the Network Access Users.
3. Then under Administration --> System --> Administrators --> Admin Users, added this user.
4. Then associated the Group ERS Admin to this user.

If I go to Reports and check for the Admin logins, instead of this username(i.e. the actual AD username) I see username as "USERNAME" and this shows as "Login failed - bad credentials"

Where may I be going wrong?

Regards,

N!

Greg Gibbs · ‎10-11-2022

Support for external AD sources for the REST API was added in ISE 2.6. To leverage this feature, the GUI must be configured to use the same external AD source as per this guide.

AD Integration for Cisco ISE GUI and CLI Login

With the Authentication Method configured to use your AD as an Identity Source, you would then need to add your AD group as an external group for the ERS Admin or ERS Operator Admin Group.

You are seeing the 'USERNAME' generic value in the logs due to the 'Disclose invalid usernames' setting disabled by default in Administration > System > Settings > Security Settings