Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1588
Views
1
Helpful
1
Replies

ISE 3.2p3 - Enabling SSO for Admins... access denied error

Go to solution
TedB123
Level 1
Level 1

ā€Ž09-04-2023 08:10 AM

hello again 

after my patching ordeal im now looking at configured SSO for admins.

I have followed these guides i still cant log into our ISE nodes, i get an error saying access denied.

https:/www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217342-configure-ise-3-1-ise-gui-admin-login-fl.html

https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_32_asset_visibility.html?bookSearch=true#concet_6878301F1F7C460585A4A267ECF77723

https://www.youtube.com/watch?v=hPHmhtN36ro&ab_channel=CiscoISE-IdentityServicesEngine

the SSO configuration is working to a point where its going to Azure for authentication and its prompting me to enter in my credentials. I enter my details in and follow the prompts and nothing.. it takes me back to this screen.

TedB123_0-1693838754510.png

the guest.log file contains the following

2023-09-04 11:15:21,492 ERROR [https-jsse-nio-10.81.12.27-8443-exec-4][[]] guestaccess.flowmanager.step.guest.SSOLoginStepExecutor -::- SSO Authentication failed or unknown user, authentication result=UNKNOWN_USER, isFailedLogin=false, reason=24803 Unable to find 'username' attribute assertion

2023-09-04 11:15:21,500 ERROR [https-jsse-nio-10.81.12.27-8443-exec-4][[]] guestaccess.flowmanager.step.guest.SSOLoginStepExecutor -::- Login error with idp

during the setup process the instructions state to export the xml file. This file comes with an additional readme file which contains the following.
it says to add the username attribute into ISE.

TedB123_1-1693838973247.png

and i have done this as instructed.

TedB123_2-1693839919817.png

TedB123_3-1693839936343.png

interestingly the official guides dont contain step 7 so it makes me wonder if theres some other missing bits for SSO to work correctly.

 

in ise-psc.log ive found this

2023-09-04 14:53:22,109 INFO [admin-http-pool2][[]] cpm.admin.infra.action.LoginAction -::::- Login action:: SAML group name is null, hence SAML Administrator authentication failed

i can confirm that the security group specified in the azure sso application is the same one thats been configured in ISE.
the GUID is the same and its set as super admin. (as per instructions in the guides)

 

has anybody managed to configure SSO with Azure?
any suggestions as to what could be missing/happening will be greatly appreciated.

i will continue to troubleshoot while i wait for a TAC case to be raised but thought id ask and get the ball rolling here.

 

cheers

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
TedB123
Level 1
Level 1

ā€Ž09-04-2023 09:24 AM

i came across this post here

https://community.cisco.com/t5/network-access-control/cisco-ise-multiple-portals-login-via-azure-ad-saml/td-p/4900812

which explains a very similar scenario... i made the changes to the attributes in ISE as mentioned in this thread and sso started working!

will test a few more logins with the other guys to confirm its working

View solution in original post

1 Reply 1

Go to solution
TedB123
Level 1
Level 1

ā€Ž09-04-2023 09:24 AM

i came across this post here

https://community.cisco.com/t5/network-access-control/cisco-ise-multiple-portals-login-via-azure-ad-saml/td-p/4900812

which explains a very similar scenario... i made the changes to the attributes in ISE as mentioned in this thread and sso started working!

will test a few more logins with the other guys to confirm its working

Customers Also Viewed These Support Documents