03-27-2024 10:10 PM
I have created an external admin group in ISE, which is pointing to an AD group. There are several users in this AD group.
Will all the users in this AD group gets ISE admin access or can it be restricted to few users.
Solved! Go to Solution.
03-28-2024 01:26 AM
@manvik any member of that group would be allowed based on that group membership.
Ideally you should create a new group and add the users that require access into that group.
03-28-2024 01:59 AM
@manvik use individual local accounts in the short term. And also arranage for the other department to create a dedicated AD group for ISE administrator, this is the standard approach of delegating mgmt to ISE administrators.
04-16-2024 12:23 AM
Guys i tested this in the lab with ISE 2.7 version.
1. Created an AD group in AD and added users (aduser1) to it.
2. Created external Administrator Group in ISE and selected the AD group
3. Logged into the ISE portal with username aduser1
4. Result - Administrator authentication failed
i checked the Admin audit log in ISE. It gave log "Authentication failed due to zero RBAC Groups."
Created another AD user and added in ISE as super admin group. This user was able to login to ISE GUI. I think we can conclude ISE is intelligent enough to deny any AD user from logging to admin GUI portal.
03-28-2024 01:26 AM
@manvik any member of that group would be allowed based on that group membership.
Ideally you should create a new group and add the users that require access into that group.
03-28-2024 01:53 AM
oops that's shocking, is there any way to control this in ISE.
AD is handled diff department. Creating groups, adding/changing users to that group ha lengthy process and wait period.
03-28-2024 01:59 AM
@manvik use individual local accounts in the short term. And also arranage for the other department to create a dedicated AD group for ISE administrator, this is the standard approach of delegating mgmt to ISE administrators.
03-28-2024 01:06 PM
This should not be shocking - this is the exact reason why group-based access exists and how it works to save you the need to individual manage permissions for 10's/100's/1000's of user accounts.
04-16-2024 12:23 AM
Guys i tested this in the lab with ISE 2.7 version.
1. Created an AD group in AD and added users (aduser1) to it.
2. Created external Administrator Group in ISE and selected the AD group
3. Logged into the ISE portal with username aduser1
4. Result - Administrator authentication failed
i checked the Admin audit log in ISE. It gave log "Authentication failed due to zero RBAC Groups."
Created another AD user and added in ISE as super admin group. This user was able to login to ISE GUI. I think we can conclude ISE is intelligent enough to deny any AD user from logging to admin GUI portal.
04-16-2024 03:27 AM
Are you saying that you had to create the admin locally in the AD as well as in ISE local database? if that is the case then I would say there is something wrong as if you point to an AD group for the admin accesses you shouldn't create any local account for those admins.
04-16-2024 06:06 AM
@Aref Alsouqi, nope. AD user is created in AD only. AD group is called out as an ISE admin group.
User wont be permitted to login to ISE GUI, if it's not created in ISE as an external password user.
04-16-2024 06:25 AM
Thanks for the clarification. I don't remember ever had to do it that way, usually I connect ISE to AD and create the RBAC policy connecting the specific admin users AD group that would have full permissions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide