Solved: Re: 'admin' account to auth to network devices via TACACS

kondzio24 · ‎06-18-2019

Hello,

Is there a way to delete the admin (Super User) account in ISE 2.4?

Some of our switches are configured with local 'admin' account and the idea was to move the auth to ISE but still use the admin account. It seems that there is no way to configure the authentication policy to use Super Users group and there is no way to delete this ;'admin' account.

Has any one seen this before or tried to use 'admin' for anything else other than management of ISE?

Thanks.

-kp

Surendra · ‎06-18-2019

You can disable the ISE “admin” account if you create another Admin account and make it a part of the Super Admin group. You will have to logout after you create this account and login with the new super admin account you created and then you will be able to disable this “admin” account on the ISE. You cannot delete it though. Disabling essentially will have the same effect unless you plan to have an internal user(not an administrator account) with the username “admin”.

View solution in original post

Surendra · ‎06-18-2019

You can disable the ISE “admin” account if you create another Admin account and make it a part of the Super Admin group. You will have to logout after you create this account and login with the new super admin account you created and then you will be able to disable this “admin” account on the ISE. You cannot delete it though. Disabling essentially will have the same effect unless you plan to have an internal user(not an administrator account) with the username “admin”.

Arne Bier · ‎06-18-2019

The only caveat I will add here is that if you create other INTERNAL Admin Accounts of type super-admin then they are equivalent in power to the default built-in admin account.

But if you are using AD to log into your ISE Admin GUI, and you assign those users the same super-admin role, then those users have slightly limited power - they cannot delete ANY INTERNAL users.

You can't even delete users that you have created yourself, while logged into the GUI (authenticated with AD credentials)!!

AD Authenticated admins are not so much of a Super-Admin after all ;-) - I don't think this is by design (i.e. bug).

This is a bit of a side note, and therefore I have to log in as a local user to delete any users that I may have (e.g. local ERS accounts)

pwoll · ‎08-07-2019

I am trying to do the same thing. I want to use the "admin" account for TACACS logins to Cisco devices. I have created another ISE Administrator account called iseadmin and assigned it to Super Admin. I am able to disable the admin account. But I still cannot find a way to either create a Network Access User called admin or add the existing Admin Access Account "admin" to the Device Administration User Identify Group I use for TACACS.

pwoll · ‎08-20-2019

I am trying to do the same thing. I want to use the "admin" account for TACACS logins to Cisco devices. I have created another ISE Administrator account called iseadmin and assigned it to Super Admin. I am able to disable the admin account. But I still cannot find a way to either create a Network Access User called admin or add the existing Admin Access Account "admin" to the Device Administration User Identify Group I use for TACACS. Did you ever find a way to do this?

Arne Bier · ‎08-20-2019

I'd be interested to know if you can pull this off. Even if you managed to disable the factory built-in admin user account, I think you cannot delete it or create another Internal User Account with name 'admin'. It's a bit of an oversight :-( But then again, 'admin' is such an overused/abused account name, and probably should be avoided where possible.

Perhaps it's possible in a green field scenario where you never use the 'admin' user at all during initial PAN creation. Start off with an 'iseadmin' user instead during the wizard setup phase.