Re: ISE admin user login issue

Mr. Bash · ‎05-16-2019

I have a user on my team [my manager actually] who can't login to our ISE admin node. He's using an active directory account that should allow him to login to the web GUI and look at logs etc. Other members of our team can login fine. I see his account when I go to Administration>Admin Access>Admin Users. His account is there, enabled and everything looks great. I can't seem to find a log that shows why his account is being denied, he essentially gets a generic "username and password aren't correct" message. He can use this same account with other devices and he get's in ok so it appears the account is ok otherwise.

We are running ISE version 2.2.0.470 patch 13. I tried googling the solution but I am largely getting articles that talk about how to setup admin access not really how to troubleshoot when it's not working. Can someone point me in the right direction to see a log file that shows why his account is being denied?

hslai · ‎05-16-2019

CSCvb64350 documented that,

Note

If an internal user is configured with an external identity store for authentication, while logging in to the ISE Admin portal, the internal user must select the external identity store as the Identity Source. Authentication will fail if Internal Identity Source is selected.

Also check how Admin Groups mapping to external AD groups.

If the above not helping, please engage TAC to troubleshoot.

RaffyLindogan · ‎05-16-2019

Hi mate,

Just want to confirm, you mentioned that his user is also registered on AD right?

1. Is "External" checked on his name in Admin user?

2. Under Authentication/Identity source - is it Internal or you configured your AD?

2. What Admin Group is he in?

Cheers,

Raffy