Solved: ISE external identity source administrator account limitations

Samuel · ‎10-24-2018

We currently have our ISE administrators using AD external identity sources to log into the servers however weve noticed that even with the super user setup we are unable to have full control. Is there something that can be done to allow AD admins to have full control?

Damien Miller · ‎10-24-2018

I often use an AD account that is part of an AD group mapped to the super admin ISE role. I can confirm that this gives me the same level of access as the local admin account created during ISE install.

Before going any further, I would first confirm that you are mapping the AD group to the super admin ISE role.

View solution in original post

Damien Miller · ‎10-24-2018

I often use an AD account that is part of an AD group mapped to the super admin ISE role. I can confirm that this gives me the same level of access as the local admin account created during ISE install.

Before going any further, I would first confirm that you are mapping the AD group to the super admin ISE role.

Samuel · ‎10-24-2018

I had it mis-configured. Was setting it in the RBAC Policy. Thank you for your help.

Arne Bier · ‎10-24-2018

@Damien Miller and @Samuel - have you noticed that there is one slight difference though between these users who are members of SuperAdmin, and the internal admin user itself? Only the SuperAdmin can delete internal admin accounts. Or at least that's my experience. So, SuperAdmin is as good as it gets, but the ultimate user will always be built-in admin user.