Cisco ISE - how to handle API users

asdf6 · ‎10-05-2023

Hello,

I've got a question for ISE masters! In our environment, we are enforcing admin password policy - passwords need to be changed every x days. How to handle admins that use the API - those are used by other services. A password change can't be done without manual intervention.

Would you recommend to use certificate based API authentication? What's the go-to solution for this?

Best regards,
Stefan

thomas · ‎10-05-2023

Probably the most straightforward is to map your admin users to Active Directory groups or use SAML SSO. This way you are not doing password management on ISE at all for your admins and you get the benefit of the same [strong] corporate password policies for strength and rotations automatically apply. SAML-based integration gives you the MFA option as well.

▷ ISE Initial Setup and Operations 2022/03/01

33:18 Administrative Role-based Access Control (RBAC): Menus & Data
33:53 RBAC Policy
34:08 Admin Groups and Roles
35:38 Admin Users
36:25 Use Active Directory External Identity Store for Admin Groups
40:02 Map AD Groups to ISE Admin Groups
42:16 Network Device Admin Role Test

▷ ISE With Duo Integration 2022/11/01

22:39 Duo Single Sign-On with SAML
25:11 Demo: Protect ISE Admin UI with Duo Single Sign-On
28:37 - Active Directory Configuration for SSO
30:58 - Protect an Application: Generic SAML Service Provider
32:18 - Configure Duo as ISE SAML Identity Provider
34:20 - Add Duo Certificate to ISE Trusted Certificates
35:19 - Add Duo SAML Metadata to ISE
35:38 - Map SAML Groups to ISE Admins
37:26 - Login to ISE with Duo SAML SSO

We also have Configure ISE 3.1 ISE GUI Admin Login Flow via SAML SSO Integration with Azure AD but the same steps should work with any SAML IdP, like shown with Duo above.

hslai · ‎10-06-2023

@asdf6 : Certificate-based Authentication for API Calls is available in ISE 3.3 only at present. If you are on ISE 3.3, do try it out and let us know.