cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
961
Views
4
Helpful
8
Replies

ISE admin Group AD users

manvik
Level 3
Level 3

I have created an external admin group in ISE, which is pointing to an AD group. There are several users in this AD group.
Will all the users in this AD group gets ISE admin access or can it be restricted to few users.

3 Accepted Solutions

Accepted Solutions

@manvik any member of that group would be allowed based on that group membership.

Ideally you should create a new group and add the users that require access into that group.

View solution in original post

@manvik use individual local accounts in the short term. And also arranage for the other department to create a dedicated AD group for ISE administrator, this is the standard approach of delegating mgmt to ISE administrators.

View solution in original post

manvik
Level 3
Level 3

Guys i tested this in the lab with ISE 2.7 version.

1. Created an AD group in AD and added users (aduser1) to it.
2. Created external Administrator Group in ISE and selected the AD group
3. Logged into the ISE portal with username aduser1
4. Result - Administrator authentication failed

i checked the Admin audit log in ISE. It gave log "Authentication failed due to zero RBAC Groups."

Created another AD user and added in ISE as super admin group. This user was able to login to ISE GUI. I think we can conclude ISE is intelligent enough to deny any AD user from logging to admin GUI portal.

 

View solution in original post

8 Replies 8

@manvik any member of that group would be allowed based on that group membership.

Ideally you should create a new group and add the users that require access into that group.

manvik
Level 3
Level 3

oops that's shocking, is there any way to control this in ISE.
AD is handled diff department. Creating groups, adding/changing users to that group ha lengthy process and wait period.

@manvik use individual local accounts in the short term. And also arranage for the other department to create a dedicated AD group for ISE administrator, this is the standard approach of delegating mgmt to ISE administrators.

thomas
Cisco Employee
Cisco Employee

This should not be shocking - this is the exact reason why group-based access exists and how it works to save you the need to individual manage permissions for 10's/100's/1000's of user accounts.

manvik
Level 3
Level 3

Guys i tested this in the lab with ISE 2.7 version.

1. Created an AD group in AD and added users (aduser1) to it.
2. Created external Administrator Group in ISE and selected the AD group
3. Logged into the ISE portal with username aduser1
4. Result - Administrator authentication failed

i checked the Admin audit log in ISE. It gave log "Authentication failed due to zero RBAC Groups."

Created another AD user and added in ISE as super admin group. This user was able to login to ISE GUI. I think we can conclude ISE is intelligent enough to deny any AD user from logging to admin GUI portal.

 

Are you saying that you had to create the admin locally in the AD as well as in ISE local database? if that is the case then I would say there is something wrong as if you point to an AD group for the admin accesses you shouldn't create any local account for those admins.

@Aref Alsouqi, nope. AD user is created in AD only. AD group is called out as an ISE admin group. 
User wont be permitted to login to ISE GUI, if it's not created in ISE as an external password user.

Thanks for the clarification. I don't remember ever had to do it that way, usually I connect ISE to AD and create the RBAC policy connecting the specific admin users AD group that would have full permissions.