cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1301
Views
0
Helpful
2
Replies

ISE 2.2 add single admin user from external identity source

Kalipso
Beginner
Beginner

Hello,

I'm trying to add admin users to ISE Web Interface. These users already exist in Active Directory

I don't have access to AD groups, so I want to add users as single entries, not as assets from an AD group. I want to have control on the new users added as administrator users, which I can't when using AD group.

 

So when I create the user : Administration > System > Admin users > Add (create an Admin user)

I can see the option "External" that makes the password field disappear but doesn't let me choose the external identity source.

I also choose a admin group that is used as a condition in the RBAC policy with corresponding permissions.

 

Then I try to login to WEBUI, using the AD identity store, but I always get the following message from the Administrator logins report : "Authentication failed due to zero RBAC Groups".

Did I miss something ? Isn't it possible to add a single admin user from an external identity source?

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

If you want to assign an AD user as an ISE GUI admin user, then it's always based on Group Membership.  There is no mechanism to single-out an individual from AD for this purpose.  If that were the case then you may as well create the user locally in ISE.

Create the AD Group and make that user (or users) a member of the AD Group.  Then tell ISE to reference that Group and assign the correct Policy.

There is this concept of a shadow user - I don't understand it - never looked into it.

View solution in original post

2 Replies 2

Arne Bier
VIP
VIP

If you want to assign an AD user as an ISE GUI admin user, then it's always based on Group Membership.  There is no mechanism to single-out an individual from AD for this purpose.  If that were the case then you may as well create the user locally in ISE.

Create the AD Group and make that user (or users) a member of the AD Group.  Then tell ISE to reference that Group and assign the correct Policy.

There is this concept of a shadow user - I don't understand it - never looked into it.

hslai
Cisco Employee
Cisco Employee

When allowing users to access ISE admin Web UI using AD credentials, we have to configure an AD group and allow the group as a whole. See See Integrate ISE with MS Active Directory ...

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: