Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1664
Views
45
Helpful
3
Replies

allow GUI access to ISE 3.0 to particular user from AD group

Go to solution
shrijan
Level 1
Level 1

‎09-26-2021 08:31 AM

Hello Everyone,

 

is it possible to allow particular user from AD group to have access to GUI ISE?

 

thanks.

 

Regards,

shrijan 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎09-26-2021 06:49 PM - edited ‎09-26-2021 06:50 PM

It sounds like you are wanting to limit admin access to ISE to just a single user within an AD Group. I don't believe there is a way to do this without ISE pointing to another external RADIUS server (as a RADIUS Token server), creating a 'shadow' admin account in ISE, having the external RADIUS server doing the authentication, and ISE doing the authorisation.

It does not appear that you can use the External shadow user account to authenticate against AD, only for RSA and RADIUS Token servers.

It would be a much better option to create a new AD Security Group for this admin account and mapping that to the Super Admins RBAC Group.

Another option would be to create a local admin account for that user, but then you would need to manage the password lifecycle directly via ISE.

View solution in original post

3 Replies 3

Go to solution
marce1000
VIP
VIP

‎09-26-2021 09:44 AM

 

 - FYI : https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200891-Understanding-Admin-Access-and-RBAC-Poli.html#anc15

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎09-26-2021 06:49 PM - edited ‎09-26-2021 06:50 PM

It sounds like you are wanting to limit admin access to ISE to just a single user within an AD Group. I don't believe there is a way to do this without ISE pointing to another external RADIUS server (as a RADIUS Token server), creating a 'shadow' admin account in ISE, having the external RADIUS server doing the authentication, and ISE doing the authorisation.

It does not appear that you can use the External shadow user account to authenticate against AD, only for RSA and RADIUS Token servers.

It would be a much better option to create a new AD Security Group for this admin account and mapping that to the Super Admins RBAC Group.

Another option would be to create a local admin account for that user, but then you would need to manage the password lifecycle directly via ISE.

Go to solution
shrijan
Level 1
Level 1
In response to Greg Gibbs

‎09-26-2021 11:55 PM

@Greg Gibbs 

i think "It would be a much better option to create a new AD Security Group for this admin account and mapping that to the Super Admins RBAC Group", this option is suitable. Because if there is new staff comes up and needs to give him admin access then just add his account to new AD Security Group. And also to remove him from the admin access in future, just by removing him from this new AD Security Group is easier.

 

Thanks.

Customers Also Viewed These Support Documents