Solved: AD Protected Accounts not supported with ISE

arennick · ‎04-25-2022

Windows domain admin users are not able to authenticate via ISE with AD when logging on to troubleshoot a remote PC. It looks like this is due to a bug "AD Protected Accounts not supported with ISE."

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy39859

I imagine that this must be causing problems with the workflow of other organizations as well. Has anyone found a creative workaround?

thomas · ‎04-08-2023

Ah, ok, thank you for those details! That helps!

Since this is a known bug, perhaps by using a different AD Administrator Group that those same admins are members of?

I show how to configure the mapping of AD groups to ISE Admin Groups in

▷ ISE Initial Setup and Operations

33:53 RBAC Policy
34:08 Admin Groups and Roles
35:38 Admin Users
36:25 Use Active Directory External Identity Store for Admin Groups
40:02 Map AD Groups to ISE Admin Groups
42:16 NetworkDeviceAdmin Role Test

View solution in original post

flobo · ‎03-29-2023

Hi,

Does anyone have more information regarding AD protected users? I have a customer that is facing problems authentication with this type of users. In the bug there isn't any information.

Regards

thomas · ‎04-02-2023

Please be very specific about your scenario.

Is this an 802.1X authentication on a Windows computer?

What is the Windows group that the user is a member of that is not working?

What is the specific error in the ISE LiveLog?

How to Ask The Community for Help

flobo · ‎04-03-2023

Hi,

It's for ISE administration. The user isn't able to login in to the ISE GUI, the user is able to login within other applications.

We get this logs from the ISE:

Event: Administrator authentication failed

Event Details: Authentication failed due to invalid user or password, or account is disabled/locked

Also if we test the user from ISE within Test User Authentication with Authetication Type: MS-RPC, we get this log:
RFC Logon request faildes = STATUS_ACCOUNT_RESTRICTION,ERROR_LOGON_FAILURE

I'm not familiar with AD and we don't handle it. What we know is that this user is a protected user.

Thanks

thomas · ‎04-08-2023

Ah, ok, thank you for those details! That helps!

Since this is a known bug, perhaps by using a different AD Administrator Group that those same admins are members of?

I show how to configure the mapping of AD groups to ISE Admin Groups in

▷ ISE Initial Setup and Operations

33:53 RBAC Policy
34:08 Admin Groups and Roles
35:38 Admin Users
36:25 Use Active Directory External Identity Store for Admin Groups
40:02 Map AD Groups to ISE Admin Groups
42:16 NetworkDeviceAdmin Role Test

flobo · ‎04-11-2023

The AD team modified the users to be "normal users", now these users can authenticate and login ISE without problems.

Thank you for your help.

PetrVyhlidal1489 · ‎09-05-2023

It is painful for us too. For security reasons ( some of them are nicely described here Windows Server: Protected Privileged Accounts - Petri IT Knowledgebase ), our admins have administrative accounts in Protected users group. It means, that authentication over MS-RPC is prohibited for that users. Since ISE needs MS-RPC " by design"(CSCvy39859 : Bug Search Tool (cisco.com)) for communicating with AD, those users could not be authenticated. I Think, giving up higher security standard ( recommended by Microsoft in connection with tiering) by moving admins from protected accounts to standard accounts is no solution. It would be really nice, if Cisco solved this issue.

neaugust · ‎04-11-2023

Test message 3

how to bypass the flash