Solved: Can ISE admin and TACACS admin be the same names?

wags · ‎07-13-2022

Is there a way to have the ISE admin and TACACS admin accounts be the same name?

ie: For ISE admin under "administration/system/admin access" have "bill.smith.admin". And under the "work centers/device administration/Identities" have the same account name "bill.smith.admin". When I try to add the name in TACACS, I get the error "user with that name already exists". ISE acts as though the TACACS and ISE admin account share the same data base records.

Hope this makes sense.

We are running ISE v3.1 (but it existed back at 2.7 as well) using TACACS to support logon to network devices.

Marcelo Morais · ‎07-13-2022

Hi @wags ,

1st remember that Work Centers > Device Administration > Identities > Users and Administration > Identity Management > Identities > Users are the same, in this case we are talking about Network User (a ISE User that is authorized to access the ISE Network Resources based on identity, the Network Access User identity contains information about the user and forms the network access credentials for the user and can consist of username, email address, password, account description, associated administrative group, user group, and role).

2nd Administration > System > Admin Access > Administrators > Admin Users are "Administrators" that have local privileges to configure and operate the ISE (for ex.: Super Admin, TACACS+ Admin, ...).

3rd Network Access Users and Admin Users are both part of Internal Users (at Administration > Identity Management > Identity Source Sequences > select All_User_ID_Stores), that's why their usernames must be different.

Hope this helps !!!

View solution in original post

Marcelo Morais · ‎07-13-2022

Hi @wags ,

1st remember that Work Centers > Device Administration > Identities > Users and Administration > Identity Management > Identities > Users are the same, in this case we are talking about Network User (a ISE User that is authorized to access the ISE Network Resources based on identity, the Network Access User identity contains information about the user and forms the network access credentials for the user and can consist of username, email address, password, account description, associated administrative group, user group, and role).

2nd Administration > System > Admin Access > Administrators > Admin Users are "Administrators" that have local privileges to configure and operate the ISE (for ex.: Super Admin, TACACS+ Admin, ...).

3rd Network Access Users and Admin Users are both part of Internal Users (at Administration > Identity Management > Identity Source Sequences > select All_User_ID_Stores), that's why their usernames must be different.

Hope this helps !!!

Arne Bier · ‎07-18-2022

Hello @wags

You are correct about not being able to ADD a Network Access User account with the same name as an EXISTING Admin Account. BUT, you can achieve that by doing the following

1) Create the Network Access User

2) Then Go to the Admin Users Menu and Add that user in as an administrator

The end result is that this user account is now owned by the Admin Menu and you have to edit it there. But it's pretty neat.

wags · ‎07-19-2022

Interesting. Do you know if this is a Cisco supported configuration? What about which account rules apply (password complexity, change interval, etc.)? I would assume that it would be the ISE admin rule settings and not the work center identity. Will definitely have to play with this.

Arne Bier · ‎07-19-2022

It's certainly a Cisco supported configuration because it's a feature that's there by design. I have to admit that I only discovered this a few weeks ago when I was working on a customer project where AD was not involved - so I explored what ISE could do out of the box. Once the Network Access User is tagged as an Admin, you manage that account as an Admin account, and not as a Network Access User (it's greyed out there). You can still reset pwd etc,