Solved: ISE Admin Access with multiple external identity stores

andrewbritt · ‎02-02-2020

Hi, I'm working on a project to cutover our existing ACS to ISE. I'm new to ISE and looking through an eval version of the application. I'm looking for a way to authenticate users to different external identity sources.

ISE access requirements:

- External company needs super user access for support, authenticated via an LDAP external identity source

- Internal users need Read-Only access, authenticated via an AD external identity source

- Internal database will have a single super-admin user account if external identity store connectivity is down.

From looking at the gui page Administration > Admin Access > Authentication > Authentication Method - I can pick either the AD or LDAP which appear as a drop down on the login screen but I don't have an option for both.

Outcome:

I want to be able to have multiple external identity stores as well as internal store for users to choose where they need to be authenticated. Is this possible?

**Note - on my eval I have created dummy AD and LDAP External Identity Stores so the joins have not been established, just in case this causes an issue.

Greg Gibbs · ‎02-02-2020

Current versions of ISE can only leverage a single external Identity Source (AD, LDAP, RADIUS Token, etc) for authentication of Admin Access (GUI, External RESTful Service).

ISE will always permit an Internal user to login via the dropdown. There is no way to restrict allowing login by an internal user only in the case that the external ID store is unavailable.

Some options that customers have used to work around this include:

In lieu of providing direct GUI access, using an external syslog server like Splunk and creating dashboards for monitoring and analysing AAA and system health events
Creating an internal ERS Operator user account and using API tools for read-only functions

Cheers,

Greg

View solution in original post

Greg Gibbs · ‎02-02-2020

Current versions of ISE can only leverage a single external Identity Source (AD, LDAP, RADIUS Token, etc) for authentication of Admin Access (GUI, External RESTful Service).

ISE will always permit an Internal user to login via the dropdown. There is no way to restrict allowing login by an internal user only in the case that the external ID store is unavailable.

Some options that customers have used to work around this include:

In lieu of providing direct GUI access, using an external syslog server like Splunk and creating dashboards for monitoring and analysing AAA and system health events
Creating an internal ERS Operator user account and using API tools for read-only functions

Cheers,

Greg

andrewbritt · ‎02-02-2020

Thanks Greg..

I figured as much following some further testing on "admin groups" when I select external check box it pre-fills the external identity source selected under Authentication-type.

Mohammed al Baqari · ‎02-02-2020

For ISE Administration, you can point to single source only. To work around
it, build a global catalog server which points to multiple ldaps. Then
point ISE to the global catalog server. Your global catalog can have
multiple forests for different domains (internal/external).

This is the easiest way I can think of.

**** please remember to rate useful posts

andrewbritt · ‎02-02-2020

Hi Mohammed,

That could be a great work around.

Thanks for calling out the option.

Andrew