Re: ISE Locks Admin Account

hurricane05 · ‎12-22-2020

It seems the original admin account that was used to join our ISE to Active Directory, keeps locking the Active Directory account. Where do we change the admin account in ISE that is used to query and access Active Directory that would have the AD account configured?

Thx in Advance for any assistance given.

marce1000 · ‎12-22-2020

- Check if this procedure can help , to add new account or to make changes :

https://www.cisco.com/c/dam/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#ID612

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

ilay · ‎12-22-2020

I have tested this problem. First, join all ISE nodes to a test domain controller, then disable the account used for join domains, restart all ISE nodes, after restart, all ISE nodes still in normal state, ise authenticaiton work well too.

After the ISE node join to AD, ISE will appear in the Domain Computers group of the Domain Controller, just like an ordinary windows device is join to the Domain Controller. Although the account is disabled, it does not affect ISE authentication.

If you need to update the username used for join to the AD, you need to disconnect all nodes from the DomainController first, and then rejoin with the new username.(select all ise nodes, click "Leave", type username/password, then click "Join" type username/password again. //The username can be any user who has the permission to join/leave the Domain)

hurricane05 · ‎12-23-2020

Thx for the responses everyone as I've been reviewing the possible options. iLay - with the option of having the node leave and re-join the domain, does that affect any of the current policies setup for enforcement or affect existing end points?

ilay · ‎12-23-2020

Leave & rejoin the domain will not affect the existing policy settings, but all policies that rely on this "Identity Sources" will not work properly.

hslai · ‎12-26-2020

Each ISE PSN is using its AD computer account to perform the regular AD authentications in RADIUS and T+ transactions.

Unless AD domain controllers used as ISE Passive ID providers (WMI or PIC Agent or Endpoint Probes), ISE needs not store the AD user credentials that used to join ISE nodes to AD. If the AD credentials not stored, then we need NOT perform what ilay suggested on leaving and re-joining AD operations, which will disrupt the AD authentications.

hurricane05 · ‎12-27-2020

Thx for the input Hslai. Being that I jut took over this ISE system and previous administrator is no longer with the organization, is there a way to check to the configuration either through the gui or cli to see if when the node was joined to the domain, the option to store the AD credentials was selected? And if it was, is there an option to remove that without disrupting the communications with AD? This is a single node running all the individual node components.

Thx in advance for any response provided.

hurricane05 · ‎12-31-2020

Hi Hslai,

I looked a little further in the ISE Passive ID and noticed the below settings. So would this be the issue that may be occurring here since the account that is listed here is the one that is constantly locking up and should replace this account with the new one?

hslai · ‎12-31-2020

Yes, you are correct.