Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
199
Views
0
Helpful
3
Replies

CLI Admin From External Store

Saeed Abd Elhalim Hamada
Spotlight
Spotlight

‎04-03-2025 10:54 PM

Hi, 

I have an issue with my Cisco ise , i have integration with AD and i use external Identify store for GUI Administrator and it`s working 

now i need to make the CLI admin also from external store the problem is 

ISE-1/admin(config)#identity-store active-directory domain-name mindsets.local user 6886 password ****
If the domain mindsets.local is already joined via UI, then you must rejoin the domain mindsets.local from UI after this configuration. Until the rejoin happens, authentications to mindsets.local will fail
Proceed? [yes,no] y
Failed to join domain mindsets.local. Please check credentials or time sync between ISE node and AD
ISE-1/admin(config)#

when i run diagnostics tool i found i have problem with two tests 

saeedabdelhalimhamada_0-1743745747236.png

i dont know if this error relate with the error that happend to me when i try to use the external Idenitiy for CLI admin or no 

note 

no firewall between the AD and ISE 

both in same network

Time in AD>> Fri 04/04/2025- 7:51:01.24

Time in ISE >> Fri Apr 4 07:51:20 EET 2025

GUI admin is working with no issue 

 

0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎04-03-2025 11:15 PM

Don't do it!

I would steer clear of joining each node's CLI to the AD. It's a terrible implementation in ISE. Clunky and leaves much to be desired. If they can't get this part working then you have to wonder how good or reliable (or safe) it is.

Why would you need this anyway?  My advice would be to disable the local admin account on all nodes CLI, and to create a new account with the appropriate role for the job, but with a username that's not easy to guess. And then put that in a password vault. You hardly ever need to access the CLI.

I have not checked recently, but I would even dispense with the password auth entirely, and use SSH public key auth.

0 Helpful

Saeed Abd Elhalim Hamada
Spotlight
Spotlight
In response to Arne Bier

‎04-03-2025 11:32 PM

thanks for your advice , 

i just was try this method 

0 Helpful

Saeed Abd Elhalim Hamada
Spotlight
Spotlight

‎04-03-2025 11:33 PM

when i show the ntp i found time is different, question is why ntp server time   different from the clock time , it should be the same right ?

onfigured NTP Servers:
192.168.128.100
Reference ID : C0A88064 (DC-1.Mindsets.local)
Stratum : 2
Ref time (UTC) : Fri Apr 04 06:27:32 2025
System time : 0.000023189 seconds fast of NTP time
Last offset : +0.000026265 seconds
RMS offset : 0.000026265 seconds
Frequency : 0.415 ppm slow
Residual freq : +11.210 ppm
Skew : 0.003 ppm
Root delay : 0.000530061 seconds
Root dispersion : 10.200364113 seconds
Update interval : 2.0 seconds
Leap status : Normal

MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* DC-1.Mindsets.local 1 6 17 0 +3325ns[ +30us] +/- 10.2s

M indicates the mode of the source.
^ server, = peer, # local reference clock.

S indicates the state of the sources.
* Current time source, + Candidate, x False ticker, ? Connectivity lost, ~ Too much variability

Warning: Output results may conflict during periods of changing synchronization.
ISE-1/admin#

0 Helpful
Customers Also Viewed These Support Documents