Solved: Re: ISE 2.3 Admin account is locked periodically

alyautdinov · ‎10-26-2017

Hello Team

We have faced with issue with internal ISE admin.

This user is periodically (several times in a day) locked after several failed authentication attempt.

But no one uses this account.

The IP address from which the admin "login" is the IP address of ISE.

In which logs we can saw where this user try to login?

Thanks

hslai · ‎10-27-2017

Try updating the default admin with a new username. If it continues happening, please engage Cisco TAC.

View solution in original post

Joseph Johnson · ‎10-26-2017

Go to Operations > Reports > Reports > Audit > Administrator Logins. You can run that report and it will show where the login (IP address) was coming from. Look for "Administrator authentication failed" events.

alyautdinov · ‎10-26-2017

Yes, I know that.

The login attempt coming from ISE PAN node (the same IP)

I want to know where this user is trying to login and why

Is there any log in the CLI where I can find this?

paul · ‎10-26-2017

Most likely it is your vulerability scanner if you have one. They will try to break into systems using common usernames, admin, root, etc., and common passwords. Did you turn off account lockout?

alyautdinov · ‎10-26-2017

Hi

We don't have scanner. And we can't disable account lockout

The source IP address from which the login attempt is going is the IP address of the Cisco ISE PAN node

hslai · ‎10-27-2017

Try updating the default admin with a new username. If it continues happening, please engage Cisco TAC.

edita.admin · ‎04-11-2018

could you please tell me what you did ? I have the same issue .

alyautdinov · ‎04-11-2018

Hi

We renamed the admin account to "ise-admin"