cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1565
Views
10
Helpful
4
Replies

ISE Admin Access with multiple external identity stores

andrewbritt
Level 1
Level 1

Hi, I'm working on a project to cutover our existing ACS to ISE. I'm new to ISE and looking through an eval version of the application.  I'm looking for a way to authenticate users to different external identity sources.

 

ISE access requirements:

- External company needs super user access for support, authenticated via an LDAP external identity source

- Internal users need Read-Only access, authenticated via an AD external identity source

- Internal database will have a single super-admin user account if external identity store connectivity is down.

 

From looking at the gui page Administration > Admin Access > Authentication > Authentication Method - I can pick either the AD or LDAP which appear as a drop down on the login screen but I don't have an option for both.

 

Outcome:

I want to be able to have multiple external identity stores as well as internal store for users to choose where they need to be authenticated.  Is this possible?

 

**Note - on my eval I have created dummy AD and LDAP External Identity Stores so the joins have not been established, just in case this causes an issue.

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

Current versions of ISE can only leverage a single external Identity Source (AD, LDAP, RADIUS Token, etc) for authentication of Admin Access (GUI, External RESTful Service).

ISE will always permit an Internal user to login via the dropdown. There is no way to restrict allowing login by an internal user only in the case that the external ID store is unavailable.

Some options that customers have used to work around this include:

  • In lieu of providing direct GUI access, using an external syslog server like Splunk and creating dashboards for monitoring and analysing AAA and system health events
  • Creating an internal ERS Operator user account and using API tools for read-only functions

Cheers,

Greg

View solution in original post

4 Replies 4

Greg Gibbs
Cisco Employee
Cisco Employee

Current versions of ISE can only leverage a single external Identity Source (AD, LDAP, RADIUS Token, etc) for authentication of Admin Access (GUI, External RESTful Service).

ISE will always permit an Internal user to login via the dropdown. There is no way to restrict allowing login by an internal user only in the case that the external ID store is unavailable.

Some options that customers have used to work around this include:

  • In lieu of providing direct GUI access, using an external syslog server like Splunk and creating dashboards for monitoring and analysing AAA and system health events
  • Creating an internal ERS Operator user account and using API tools for read-only functions

Cheers,

Greg

Thanks Greg..

 

I figured as much following some further testing on "admin groups" when I select external check box it pre-fills the external identity source selected under Authentication-type.

For ISE Administration, you can point to single source only. To work around
it, build a global catalog server which points to multiple ldaps. Then
point ISE to the global catalog server. Your global catalog can have
multiple forests for different domains (internal/external).

This is the easiest way I can think of.

**** please remember to rate useful posts

Hi Mohammed,

 

That could be a great work around.

 

Thanks for calling out the option.

 

Andrew