cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1802
Views
20
Helpful
5
Replies

Authentication admin user with AD

eric.lessard
Level 1
Level 1

hey!

Am having an issue with admin groups.

am trying to do en external authentication with AD users but fails with a : Authentication failure for user: Eric : No admin groups

All seems fine, autorisation policy, Menu acces, Data access AD group binding with ISE Super Admin group

My user is ok on AD ( not locked, expired or anything )

Anyone got that problem before?

Thx

1 Accepted Solution

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

Possible defect.

CSCud31796    ISE - External RBAC fails if user member of group containing apostrophe

Symptom:

RBAC utilizing an external identity store (AD, LDAP) group mapping fails for a user with the correct group(s) to gain access to the ISE GUI. The following message will be displayed:

"Authentication failure for user: username : No admin groups"

Conditions:

The user is a member of a group which contains the apostrophe character.

Workaround:

No workaround exists within ISE.

1. Rename all groups in the external identity store such that they do not contain apostrophes

2. Remove users participating in ISE administration from any external groups that contain apostrophes

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

5 Replies 5

Jatin Katyal
Cisco Employee
Cisco Employee

Possible defect.

CSCud31796    ISE - External RBAC fails if user member of group containing apostrophe

Symptom:

RBAC utilizing an external identity store (AD, LDAP) group mapping fails for a user with the correct group(s) to gain access to the ISE GUI. The following message will be displayed:

"Authentication failure for user: username : No admin groups"

Conditions:

The user is a member of a group which contains the apostrophe character.

Workaround:

No workaround exists within ISE.

1. Rename all groups in the external identity store such that they do not contain apostrophes

2. Remove users participating in ISE administration from any external groups that contain apostrophes

Jatin Katyal
- Do rate helpful posts -

~Jatin

I'm having a similar issue, however my AD group doesn't have any apostrophe charachters.  The only 'non standard' characters it has is some spaces " " and a "&" symbol, could this cause the same problem?

Hello Zach,

My groups didnt have an apostrophe but my OU did...

mydomain.local/admin groups/doesn't need auth/ISe_admin  ( kinda group )

i dont wanna replace Cisco TAC teams but:

1. Log into ISE using a working admin user and navigate to Administration > System > Logging > Debug Log Configuration

2. Select the admin node from the "Node list" on the right and click the "Edit" button

3. Turn up the  logging level of the "nfs" and "identity-store-AD" components (click on  the current log level and change it to TRACE)

4. Try to log in using the failing user.

5. Navigate to Operations > Troubleshoot > Download Logs and select your admin node

6. Click the "Debug Logs" item in the right pane

7. Download the file "ise-psc.log"  search for the last auth fail with yur user

Thats how i did find my problematic groups.

I asked the tac engeneer to update the CSCud31796 to include the OU names, not only groups

Hope that help

by the way:

1- will be fixed in release 1.2

2- the apostrophe actually stop the group membership comparaison

3- didnt test it yet but i suspect that any comparason rules, aka memberof in any policy.. wont work because of that

to fix that, in addition to Jatin Comments, you could put yur user in the TOP level groups lets say: mydomain.local/admin groups/1-admin_ise

this way, the appostrophe wont be hit before matching the rule.

Thx to Jatin Also

Bye

Ce message a ƩtƩ modifiƩ par: Eric Lessard

Thx Jatin!

see my comment below... do you know if in fact it would also impact any policy rules based on membership ? or is it only affecting admin access?

sorry for any delay!

Well I did read user Auth fail on Authorization Policy when rule contain group with special character.

This problem exist in ACS 5.x as well.

Jatin Katyal

- Do rate helpful posts -

~Jatin