06-18-2019 09:34 AM
Hello,
Is there a way to delete the admin (Super User) account in ISE 2.4?
Some of our switches are configured with local 'admin' account and the idea was to move the auth to ISE but still use the admin account. It seems that there is no way to configure the authentication policy to use Super Users group and there is no way to delete this ;'admin' account.
Has any one seen this before or tried to use 'admin' for anything else other than management of ISE?
Thanks.
-kp
Solved! Go to Solution.
06-18-2019 10:10 AM
06-18-2019 10:10 AM
06-18-2019 11:18 PM - edited 06-19-2019 12:03 AM
The only caveat I will add here is that if you create other INTERNAL Admin Accounts of type super-admin then they are equivalent in power to the default built-in admin account.
But if you are using AD to log into your ISE Admin GUI, and you assign those users the same super-admin role, then those users have slightly limited power - they cannot delete ANY INTERNAL users.
You can't even delete users that you have created yourself, while logged into the GUI (authenticated with AD credentials)!!
AD Authenticated admins are not so much of a Super-Admin after all ;-) - I don't think this is by design (i.e. bug).
This is a bit of a side note, and therefore I have to log in as a local user to delete any users that I may have (e.g. local ERS accounts)
08-07-2019 03:08 PM
I am trying to do the same thing. I want to use the "admin" account for TACACS logins to Cisco devices. I have created another ISE Administrator account called iseadmin and assigned it to Super Admin. I am able to disable the admin account. But I still cannot find a way to either create a Network Access User called admin or add the existing Admin Access Account "admin" to the Device Administration User Identify Group I use for TACACS.
08-20-2019 02:52 PM
I am trying to do the same thing. I want to use the "admin" account for TACACS logins to Cisco devices. I have created another ISE Administrator account called iseadmin and assigned it to Super Admin. I am able to disable the admin account. But I still cannot find a way to either create a Network Access User called admin or add the existing Admin Access Account "admin" to the Device Administration User Identify Group I use for TACACS. Did you ever find a way to do this?
08-20-2019 08:01 PM
I'd be interested to know if you can pull this off. Even if you managed to disable the factory built-in admin user account, I think you cannot delete it or create another Internal User Account with name 'admin'. It's a bit of an oversight :-( But then again, 'admin' is such an overused/abused account name, and probably should be avoided where possible.
Perhaps it's possible in a green field scenario where you never use the 'admin' user at all during initial PAN creation. Start off with an 'iseadmin' user instead during the wizard setup phase.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide