Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1114
Views
5
Helpful
3
Replies

ISE 3.1 ERS API authentication via external identity source

Go to solution
Sven Hruza
Level 4
Level 4

‎09-09-2022 07:49 AM

Hello,
is it possible to authenticate users of the ERS API against an external identity source like LDAP?
The API works well with a local admin account put in the admin group "ERS Admin".
If I create another admin group mapped to an external role configured in the external identity source, the user gets a 401 unauthorized.
The same happens if I map this external role to the pre-configured "ERS Admin" group, where the local admin is also in.

Thanks for a hint!

Sven

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎09-11-2022 04:27 PM

Yes, with ISE 3.1 (patch 3) you can authenticate/authorize API admins against either an AD or LDAP external ID store. The API uses the same Authentication source as the GUI as configured in Administration > System > Admin Access > Authentication > Authentication Type.

For a direct LDAP connection the same process would apply as per ISE Role Based Access Control with LDAP 

Note that, when using a direct LDAP connection (instead of AD integration), you must include the '@<domain>' suffix with the user account. When using AD integration, the suffix is not necessary.

View solution in original post

3 Replies 3

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎09-11-2022 04:27 PM

Yes, with ISE 3.1 (patch 3) you can authenticate/authorize API admins against either an AD or LDAP external ID store. The API uses the same Authentication source as the GUI as configured in Administration > System > Admin Access > Authentication > Authentication Type.

For a direct LDAP connection the same process would apply as per ISE Role Based Access Control with LDAP 

Note that, when using a direct LDAP connection (instead of AD integration), you must include the '@<domain>' suffix with the user account. When using AD integration, the suffix is not necessary.

Go to solution
Sven Hruza
Level 4
Level 4
In response to Greg Gibbs

‎09-11-2022 11:38 PM

Thanks, Greg, for that information. Because of a bug we are working with TAC on, I downgraded to 3.1 patch 1.
So I will wait till this other topic is solved in any way and will test again with patch 3.

One question regarding the domain. This '@<domain>' is needed only in the API? Because in the web gui authentication via LDAP it is not needed in my system.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Sven Hruza

‎09-11-2022 11:56 PM

It actually depends on how you've configured your Schema for the LDAP Identity Source. When using the default schema for Active Directory, the Subject Name Attribute defaults to 'UserPrincipleName'. With that setting, you would need to include the domain suffix for both the GUI and the API.
If you change the Subject Name Attribute to 'sAMAccountName' you would not need to include the domain suffix for either the GUI or the API.

0 Helpful
Customers Also Viewed These Support Documents