This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
didn't find the answer anywhere so would like to ask if someone knows why the Prime needs a superuser admin for the integration. The Prime server should only read some data from ISE, so I thought a Read-only admin would be enough.
Many customers have problem to add the superuser rights to such a user so a good explanation would be great.
Thanks a lot.
Solved! Go to Solution.
thanks for the reply. I am talking about the integration of Cisco ISE with the Prime infrastructure.
A local admin account in ISE is required and that admin has to be superuser. I do not understand why such privileges are needed.
Hello @hslai ,
Cisco TAC says that it is not possible:
Please be advised that the credentials should be superuser credentials local to ISE. Otherwise, ISE integration does not work.
May you please give any screenshots to proof it works? We have a ssh issue connecting PI to ISE(the reason to ask TAC for help) and we can't test it ourselves.
Thanks a lot!
... We have a ssh issue connecting PI to ISE(the reason to ask TAC for help) and we can't test it ourselves.
PI does not connect to ISE via SSH AFAIK. Only Cisco DNA Center requires ssh to ISE.
Introduction to the Monitoring REST APIs is where we documented the admin role requirements due to CSCur87193, which is not customer visible due to lack of a release-note-enclosure. We were supposed to be documented in ISE compatibility matrix but somehow the info lost and our BE is not regularly testing ISE integration with PI.
IIRC we tested it successfully with ISE 2.0/2.1 and PI 3.1 in CY2016. As that is 4 years ago, the setup is no longer available.
@hslai Thank you for clarification! That's inspiring. Will post what we'll be able to do.
SSH - my fault, I meant TLS of course.
Have same question here.
Customer with highly secure environment doesn't want to allow any unnecessary superuser access to ISE . Especially since there is no explict documentation neither in ISE configuration guides or PI configuration guides...
Also there is no explanation, how does PI interacts with ISE - ports or protocols we should open on firewalls seems to be investigated by packet capture...
Ports and protocols I can answer - it is tcp/443 transporting TLS 1.2 (unless you have some really old unsupported releases in which case it's TLS 1.1).
Thanks a lot for that!
Is there any references in documentation? Unfortunately, we can't just refer to Cisco community, customer's security department need a proof for every ACL created...
The ISE server is added from the PI side. When you do that, the port is shown in the GUI:
Additionally you can easily run tcpdump on the ISE node (Operations > Troubleshoot > Diagnostic Tools) and see the traffic. Packet capture doesn't lie, no matter what the guides show (or don't show).