cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

899
Views
15
Helpful
8
Replies
Highlighted
VIP Advisor

ISE 2.7 CLI access using Active Directory credentials

Hello ISE 2.7 users

 

I was so excited when I heard that in ISE 2.7 I could finally SSH into my nodes using AD credentials.

This should have been a simple 5 minute job for me.

 

According to the ISE 2.7 Admin Guide on how to configure the node to allow AD credentials for CLI logins this should be simple.

There is documentation bug on that page because it asks to "run" the identity store command - instead of saying that this is a configuration option under conf t.

 

 

Connect to the Cisco ISE CLI, run the identity-store command, and assign the Admin user to the ID store. For example, to map the CLI admin user to the Active Directory defined in ISE as adpool1, run identity-store active-directory domain-name adpool1 user admincliuser.

 

 

The first thing that threw me off is that I now have to edit my AD Admin User(s) - the UI equivalent never required any manual tuning of this user.  Anyway - minor gripe ... I edited my AD user as indicated

 

Assign uidNumber greater than 60000, and make sure that the number is unique.
Assign gidNumber as 110 (admin user) or 111 (read-only)

 

 

I then ran the CLI command to join the Domain.  This is where I shook my head again. This node is already joined to the AD. Why am I having to do this again ? I tried the identity-store command once, and then I opened a new SSH window, but the AD credentials were not accepted.  I even left and re-joined the AD via CLI, but it doesn't allow me to login with the user shown below.

 

ise03/admin(config)# no identity-store active-directory domain-name somedomain.com.au user admin-biera
Left the domain somedomain.com.au successfully
ise03/admin(config)# identity-store active-directory domain-name somedomain.com.au user admin-biera
If the domain somedomain.com.au is already joined via UI, then you must rejoin the domain somedomain.com.au from UI after this configuration. Until the rejoin happens, authentications to somedomain.com.au will fail
Do you want to proceed? Y/N [N]: Y
Password for admin-biera:
Joined to domain somedomain.com.au successfully
ise03/admin(config)# end
ise03/admin#

As the message above indicated, after I did the CLI "AD Join", it breaks the GUI AD Join Point (which is not great - I had to leave the AD Join int he GUI and then re-join ... then all was ok again).

 

What am I doing wrong regarding the CLI login. Is there a missing step?

In general:

  • Do I have to re-join the domain with all of my admin users?  Surely not ...
  • If I have more than one ISE node, do I have to go through this "weird AD join on the CLI" on every node?

 

Any hints welcome

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Update: I changed the wrong AD attribute - I was searching for "uid" by pressing "u" to search through the list - and I edited the first search result that came back - uid.  Which was a mistake, because I needed to edit uidNumber.  At least I won't forget that next time ;-) - the AD login on CLI now works after changing the uidNumber to a value > 60000.

 

attr.png

 

If anyone has insights/answer to the other questions I'd be happy to hear from you.

 

View solution in original post

8 REPLIES 8
Highlighted
VIP Advisor

Update: I changed the wrong AD attribute - I was searching for "uid" by pressing "u" to search through the list - and I edited the first search result that came back - uid.  Which was a mistake, because I needed to edit uidNumber.  At least I won't forget that next time ;-) - the AD login on CLI now works after changing the uidNumber to a value > 60000.

 

attr.png

 

If anyone has insights/answer to the other questions I'd be happy to hear from you.

 

View solution in original post

Highlighted

Hi,

 

   I'm glad someone tested this before me :) I looked at the documentation myself couple of days ago, and the steps need to be followed in a specific order, I'm not sure exactly why, most probably it has to do with behind the scenes functionality and order of operation). One of the things which it states is exactly that if you use the same join point as defined in the GUI, you would have to rejoin from the GUI; doesn't sound like the perfect outcome for a customer, but probably/hopefully it will improve with future versions, so there will be no more need to loose AD access for a while.

  Did you make it work in the end?

 

Regards,

Cristian Matei.

Highlighted

Hi @Cristian Matei 

 

yeah I got it working - in my first attempt I assigned a value to the wrong AD attribute - I then realised my mistake and updated the correct attribute. It works like a charm. I only have two AD users configured and tested with this.

 

I would have preferred a solution that just copied the same behaviour as the GUI Admin AD Integration ... it seems that CLI and GUI use completely different code to authenticate the admin users.

Highlighted

Arne,

 

Thank you for your insights on this. I have passed this on to PM/Engineering to look.

 

Thanks

Krishnan

Highlighted

So the process you have described is exactly the same as I had to undertake in ISE 2.6 and I agree, why is the CLI auth process (domain join and user properties etc) different between CLI and GUI? I guess it is due to the GUI being a separate application on the appliance vs the host OS process.

It is a pain having to do the CLI first and then leave and join the GUI if it was already joined.

So good to know the process is still the same in 2.7

Highlighted

Hi,

 

    If you ask me, the feature came out on a rush, as most customers would want to use the same AD in the CLI as in the GUI, but they don't want that when the process is done, the GUI needs to rejoin the AD, thus leaving a window when news users will not be able to get authenticated/authorized.

   Initially i thought the same, that indeed because the CLI and GUI are two different entities (even though run as OS/RHEL and ISE application on top of it), the integration of CLI and GUI with AD are two different process, but than how come that if you use in the CLI the same Join Point as in the GUI, it breaks the GUI attachment and you would need to rejoin?

 

   If you ask me, this is gonna get fixed on next releases in one of two ways:

         - either CLI can make use of the same Join Point as the GUI with no need to rejoin the GUI or join at all from CLI

         - either CLI joining the AD will no longer break the GUI AD Join; like now, but without sacrificing anything

 

Regards,

Cristian Matei.

 

Highlighted

Hi, I tried this within dcloud environment using ISE 2.7 p2. Initial AD join on CLI was successful but CLI based external accounts could not login. Solution was to disjoin AD from CLI and rejoin on both CLI and GUI.
Highlighted

CSCvs60879 is a known issue on this feature.