Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1465
Views
0
Helpful
2
Replies

ISE 2.2 add single admin user from external identity source

Go to solution
Kalipso
Level 1
Level 1

‎10-23-2018 07:11 AM

Hello,

I'm trying to add admin users to ISE Web Interface. These users already exist in Active Directory

I don't have access to AD groups, so I want to add users as single entries, not as assets from an AD group. I want to have control on the new users added as administrator users, which I can't when using AD group.

 

So when I create the user : Administration > System > Admin users > Add (create an Admin user)

I can see the option "External" that makes the password field disappear but doesn't let me choose the external identity source.

I also choose a admin group that is used as a condition in the RBAC policy with corresponding permissions.

 

Then I try to login to WEBUI, using the AD identity store, but I always get the following message from the Administrator logins report : "Authentication failed due to zero RBAC Groups".

Did I miss something ? Isn't it possible to add a single admin user from an external identity source?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎10-23-2018 03:39 PM

If you want to assign an AD user as an ISE GUI admin user, then it's always based on Group Membership.  There is no mechanism to single-out an individual from AD for this purpose.  If that were the case then you may as well create the user locally in ISE.

Create the AD Group and make that user (or users) a member of the AD Group.  Then tell ISE to reference that Group and assign the correct Policy.

There is this concept of a shadow user - I don't understand it - never looked into it.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎10-23-2018 03:39 PM

If you want to assign an AD user as an ISE GUI admin user, then it's always based on Group Membership.  There is no mechanism to single-out an individual from AD for this purpose.  If that were the case then you may as well create the user locally in ISE.

Create the AD Group and make that user (or users) a member of the AD Group.  Then tell ISE to reference that Group and assign the correct Policy.

There is this concept of a shadow user - I don't understand it - never looked into it.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-23-2018 07:59 PM

When allowing users to access ISE admin Web UI using AD credentials, we have to configure an AD group and allow the group as a whole. See See Integrate ISE with MS Active Directory ...

 

0 Helpful
Customers Also Viewed These Support Documents