cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

141
Views
0
Helpful
2
Replies
Highlighted
Beginner

ISE admin user login issue

I have a user on my team [my manager actually] who can't login to our ISE admin node.  He's using an active directory account that should allow him to login to the web GUI and look at logs etc.  Other members of our team can login fine.  I see his account when I go to Administration>Admin Access>Admin Users.  His account is there, enabled and everything looks great.  I can't seem to find a log that shows why his account is being denied, he essentially gets a generic "username and password aren't correct" message.  He can use this same account with other devices and he get's in ok so it appears the account is ok otherwise.

 

We are running ISE version 2.2.0.470 patch 13.  I tried googling the solution but I am largely getting articles that talk about how to setup admin access not really how to troubleshoot when it's not working.   Can someone point me in the right direction to see a log file that shows why his account is being denied?

2 REPLIES 2
Highlighted
Cisco Employee

CSCvb64350 documented that,

Note

If an internal user is configured with an external identity store for authentication, while logging in to the ISE Admin portal, the internal user must select the external identity store as the Identity Source. Authentication will fail if Internal Identity Source is selected.

Also check how Admin Groups mapping to external AD groups.

If the above not helping, please engage TAC to troubleshoot.

 

Highlighted
Beginner

Hi mate,

 

Just want to confirm, you mentioned that his user is also registered on AD right?

 

 1. Is "External" checked on his name in Admin user?

 2.  Under Authentication/Identity source - is it Internal or you configured your AD?

 2. What Admin Group is he in?

 

Cheers,

 

Raffy