Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
0
Helpful
3
Replies

ISE: Is there a way to use the initial super-admin account for network device administration?

contracts
Level 1
Level 1

‎04-10-2019 09:24 PM

It seems I have made a mistake. I configured an ISE deployment initially with the same username we use internally to login to our network devices. It does not appear I can use ISE CLI/GUI admin user accounts in network device administration or network access policies.

 

Is there a way to do this? If not can I overwrite the initial super-user admin account created in setup with a different username?

0 Helpful
3 Replies 3

RaffyLindogan
Spotlight
Spotlight

‎04-10-2019 11:31 PM

Hi mate,

 

Can you please provide clarification on your goal.

Is it using your local account as part of the authorization rule for Device Administration?

You local account on ISE should not have impact to the NAD.

Policies for Device Admin  for NAD are on Work Centre while Policies for ISE are on Adminitration Settings.

 

0 Helpful

contracts
Level 1
Level 1
In response to RaffyLindogan

‎04-12-2019 07:45 AM

When you do the initial ISE installation you create a username and password. This user becomes the primary super-user to access the ISE GUI. I used the same username for setup that we use to remotely login to all devices remotely currently. In setting up the device administration/TACACS portion of ISE, I am not able to select admin users as part of an authentication policy for device access. When I try to create a second user of the same name in an internal identity store I get an error  saying that the user is a duplicate. 

 

In testing I have an authentication policy that points to Internal Users, and created a temporary username in my internal identity store. When testing logging into a remote device pointed at ISE, I can login using my test username, but not my admin credentials. It appears my admin username does not fall underneath the umbrella of Internal Users, but I also do not see an option to specify an 'Admin Users' or the like in an authentication policy. 

 

I am trying to avoid a mass username change for everyone who accesses these network devices, which is the outcome if I just create a new username and password to be used for everyone.

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-11-2019 06:16 AM

You can keep the two separate. You can utilize local ISE user groups and/or AD security groups if you are able to use external identity sources. In your device admin authz policies just match your conditions on whichever type of user group you have defined/decided to use. If you want to change the ISE CLI/GUI admin accounts you can do this too. The CLI change is straight forward. For the GUI change or additional super-admin account go to: Administration->System->Admin Access->Administrators->Admin Users. HTH!
0 Helpful
Customers Also Viewed These Support Documents