Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1325
Views
5
Helpful
1
Replies

ISE Admin Access using ISE Policy Node

Go to solution
ChristopherCraddock66504
Level 1
Level 1

‎03-16-2022 07:51 AM - edited ‎03-16-2022 07:56 AM

Dear Community,

We would like to enforce MFA (DUO) for ISE Admin Node logins. We are currently using Active Directory as the external authentication for the logins. However, is it possible to point the ISE Admin node to 1 or more of its own policy nodes and use Radius? We are already using ISE to enforce DUO MFA for other radius logins using the Identity Source Sequence in each Authentication Policy. I was wondering if it would be possible to configure a separate Authentication/Authorization policy set for the ISE Admin node as well. Has anyone tried this?

 

Also, is it safe to assume that no matter what identity source you choose for the Authentication Identity Source, that "Internal" will always be available as a login option? Im a little nervous to change the Type from AD to Radius without knowing I can login using an internal admin account to reverse the change if Radius doesn't work. 

 

Thank you for any feedback you can provide. 

 

Thank you. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-16-2022 03:47 PM

The Internal login option will always be present in the GUI.

When you change the Authentication source for Admin Access, it applies to all ISE nodes in the cluster. Even if you could get this method to work (which I don't think you can), it would be a bad idea as the Admin GUI login for the PSN would be pointing to itself.

There is a validated method for Duo MFA with the ISE Admin GUI using the Duo Auth Proxy.

You should be aware, however, that any use of RADIUS Token servers as an External Identity Store with the ISE Admin GUI uses Internal Authorization in ISE. This requires 'shadow' accounts (with no password and the required RBAC role) created in ISE in advance for any admin users that will be logging in (as shown in the configuration example).

View solution in original post

1 Reply 1

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-16-2022 03:47 PM

The Internal login option will always be present in the GUI.

When you change the Authentication source for Admin Access, it applies to all ISE nodes in the cluster. Even if you could get this method to work (which I don't think you can), it would be a bad idea as the Admin GUI login for the PSN would be pointing to itself.

There is a validated method for Duo MFA with the ISE Admin GUI using the Duo Auth Proxy.

You should be aware, however, that any use of RADIUS Token servers as an External Identity Store with the ISE Admin GUI uses Internal Authorization in ISE. This requires 'shadow' accounts (with no password and the required RBAC role) created in ISE in advance for any admin users that will be logging in (as shown in the configuration example).

Customers Also Viewed These Support Documents