Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3556
Views
30
Helpful
9
Replies

ISE 2.6 CLI Access through External Identity Store

Go to solution
JP_Berlin
Cisco Employee
Cisco Employee

‎12-06-2019 07:13 AM - edited ‎12-06-2019 07:15 AM

Hi community,

I want to configure my AD as an external identity source for ISE CLI access. The only documentation I've found so far is this:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_0101.html#id_99029

 

Maybe it's just me but in my opinion it doesn't cut it. Can anyone point me to a more comprehensive documentation? If it does not exist, I think we should create it!

 

Thanks,

Jonathan

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎12-06-2019 07:58 AM

Within Active Directory, you can edit attributes for a particular user account.  The documentation is saying to modify the "gidNumber" and "uidNumber" attributes in Active Directory for the account you want to use as the CLI Admin User.  ISE will read those attributes to ensure the user is authorized to be a CLI Admin.  These attributes are not used by Active Directory and are not set by default.  So you can find your user within AD and go to Properties.  Then select "Attribute Editor" to see/edit attributes.  If you don't see the "Attribute Editor" tab, then you need to go to View and select the option for "Advanced".  Then open Properties again and it will be there.  Following are screenshots showing you the default settings for a user in AD for "gidNumber" and "uidNumber":

gidnumber.jpguidnumber.jpg

View solution in original post

9 Replies 9

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎12-06-2019 07:58 AM

Within Active Directory, you can edit attributes for a particular user account.  The documentation is saying to modify the "gidNumber" and "uidNumber" attributes in Active Directory for the account you want to use as the CLI Admin User.  ISE will read those attributes to ensure the user is authorized to be a CLI Admin.  These attributes are not used by Active Directory and are not set by default.  So you can find your user within AD and go to Properties.  Then select "Attribute Editor" to see/edit attributes.  If you don't see the "Attribute Editor" tab, then you need to go to View and select the option for "Advanced".  Then open Properties again and it will be there.  Following are screenshots showing you the default settings for a user in AD for "gidNumber" and "uidNumber":

gidnumber.jpguidnumber.jpg

Go to solution
JP_Berlin
Cisco Employee
Cisco Employee
In response to Colby LeMaire

‎12-09-2019 02:54 AM

Super helpful, thanks a lot for this description! I have it now running in my lab...

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-08-2019 10:10 AM - edited ‎12-08-2019 10:22 AM

Colby.LeMaire is correct.

Attached is the section of our ISE 2.6 Update lab guide on this feature.

I also opened a doc bug to ask the admin and cli guides updated. CSCvs37998

Preview file
1997 KB

Go to solution
JP_Berlin
Cisco Employee
Cisco Employee
In response to hslai

‎12-09-2019 03:04 AM

Thanks a lot for opening the defect. I really appreciate the effort by Product Management on this forum 👍🏻

 

Some feedback on the feature: I like it and I could make it run in a couple of minutes with this descriptive guide. I just hope we can avoid to rejoin the ISE node from the GUI in the future..

0 Helpful

Go to solution
Sp@wn
Level 1
Level 1
In response to hslai

‎06-02-2020 02:54 AM

Hello @hslai ,

 

Is it not necessary to create any tacacs + rules on the ISE using the "gidNumber" and "uidNumber" parameters configured on the Active Directory side, except for active directory integration from the command line?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Sp@wn

‎06-02-2020 08:06 AM - edited ‎06-03-2020 09:24 AM

Sp@wn ISE CLI Admin access is NOT using ISE T+ so no relationships to ISE T+ rules. I am guessing you are thinking about the admin CLI of Cisco PI, which allows T+.

0 Helpful

Go to solution
Sp@wn
Level 1
Level 1
In response to hslai

‎06-03-2020 11:17 AM

I am trying to understand how ISE decide the user is a CLI admin with full administrative role privilege or CLI user with read-only role privileges. where is the ISE uses these uidNumber and gidNumber values?
0 Helpful

Go to solution
matthew.shelley
Level 1
Level 1
In response to Sp@wn

‎07-23-2020 06:04 PM - edited ‎07-23-2020 06:05 PM

From https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_0101.html#id_99029

 

  • Assign gidNumber as 110 or 111.

  • GidNumber 110 denotes an admin user whereas 111 denotes a read-only user.

 

 

0 Helpful

Go to solution
Sp@wn
Level 1
Level 1
In response to matthew.shelley

‎07-24-2020 01:18 AM

I am trying to understand the configuration made on ISE side for the CLI Access through External Identity Store. I read the document you shared. I did not see a configuration example related with GidNumber on the ISE side, but I encountered the following contradictory statement.

 

Administrators who belong to a Super Admin group, and are configured to authenticate and authorize using an external identity store, can also authenticate with the external identity store for CLI access.

Note

You can configure this method of providing external administrator authentication only via the Admin portal. The Cisco ISE Command Line Interface (CLI) does not feature these functions.

0 Helpful
Customers Also Viewed These Support Documents