ā04-10-2013 01:32 PM - edited ā03-10-2019 08:17 PM
hey!
Am having an issue with admin groups.
am trying to do en external authentication with AD users but fails with a : Authentication failure for user: Eric : No admin groups
All seems fine, autorisation policy, Menu acces, Data access AD group binding with ISE Super Admin group
My user is ok on AD ( not locked, expired or anything )
Anyone got that problem before?
Thx
Solved! Go to Solution.
ā04-10-2013 05:38 PM
Possible defect.
CSCud31796 ISE - External RBAC fails if user member of group containing apostrophe
Symptom:
RBAC utilizing an external identity store (AD, LDAP) group mapping fails for a user with the correct group(s) to gain access to the ISE GUI. The following message will be displayed:
"Authentication failure for user: username : No admin groups"
Conditions:
The user is a member of a group which contains the apostrophe character.
Workaround:
No workaround exists within ISE.
1. Rename all groups in the external identity store such that they do not contain apostrophes
2. Remove users participating in ISE administration from any external groups that contain apostrophes
Jatin Katyal
- Do rate helpful posts -
ā04-10-2013 05:38 PM
Possible defect.
CSCud31796 ISE - External RBAC fails if user member of group containing apostrophe
Symptom:
RBAC utilizing an external identity store (AD, LDAP) group mapping fails for a user with the correct group(s) to gain access to the ISE GUI. The following message will be displayed:
"Authentication failure for user: username : No admin groups"
Conditions:
The user is a member of a group which contains the apostrophe character.
Workaround:
No workaround exists within ISE.
1. Rename all groups in the external identity store such that they do not contain apostrophes
2. Remove users participating in ISE administration from any external groups that contain apostrophes
Jatin Katyal
- Do rate helpful posts -
ā04-12-2013 07:49 AM
I'm having a similar issue, however my AD group doesn't have any apostrophe charachters. The only 'non standard' characters it has is some spaces " " and a "&" symbol, could this cause the same problem?
ā04-12-2013 10:39 AM
Hello Zach,
My groups didnt have an apostrophe but my OU did...
mydomain.local/admin groups/doesn't need auth/ISe_admin ( kinda group )
i dont wanna replace Cisco TAC teams but:
1. Log into ISE using a working admin user and navigate to Administration > System > Logging > Debug Log Configuration
2. Select the admin node from the "Node list" on the right and click the "Edit" button
3. Turn up the logging level of the "nfs" and "identity-store-AD" components (click on the current log level and change it to TRACE)
4. Try to log in using the failing user.
5. Navigate to Operations > Troubleshoot > Download Logs and select your admin node
6. Click the "Debug Logs" item in the right pane
7. Download the file "ise-psc.log" search for the last auth fail with yur user
Thats how i did find my problematic groups.
I asked the tac engeneer to update the CSCud31796 to include the OU names, not only groups
Hope that help
by the way:
1- will be fixed in release 1.2
2- the apostrophe actually stop the group membership comparaison
3- didnt test it yet but i suspect that any comparason rules, aka memberof in any policy.. wont work because of that
to fix that, in addition to Jatin Comments, you could put yur user in the TOP level groups lets say: mydomain.local/admin groups/1-admin_ise
this way, the appostrophe wont be hit before matching the rule.
Thx to Jatin Also
Bye
Ce message a ƩtƩ modifiƩ par: Eric Lessard
ā04-12-2013 10:49 AM
Thx Jatin!
see my comment below... do you know if in fact it would also impact any policy rules based on membership ? or is it only affecting admin access?
ā04-17-2013 06:52 PM
sorry for any delay!
Well I did read user Auth fail on Authorization Policy when rule contain group with special character.
This problem exist in ACS 5.x as well.
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide