cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

591
Views
25
Helpful
13
Replies
Highlighted
Beginner

ISE Prime integration superuser admin

Hi,

didn't find the answer anywhere so would like to ask if someone knows why the Prime needs a superuser admin for the integration. The Prime server should only read some data from ISE, so I thought a Read-only admin would be enough.

Many customers have problem to add the superuser rights to such a user so a good explanation would be great.

Thanks a lot.

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: ISE Prime integration superuser admin

Since ISE 2.0, the user could be one of the following ISE admin user roles:

SUPER_ADMIN,SYSTEM_ADMIN,MNT_ADMIN

 

View solution in original post

13 REPLIES 13
Highlighted
Hall of Fame Guru

Re: ISE Prime integration superuser admin

Are you asking about integration with Active Directory (AD)? If so, no AD admin user account is required - only one with the ability to join the ISE nodes to the domain as domain computers and then only during initial configuration.
Highlighted
Beginner

Re: ISE Prime integration superuser admin

Hi Marvin,

thanks for the reply. I am talking about the integration of Cisco ISE with the Prime infrastructure.

A local admin account in ISE is required and that admin has to be superuser. I do not understand why such privileges are needed.

Thanks

Highlighted
Hall of Fame Guru

Re: ISE Prime integration superuser admin

I suspect it is because the developers did not take the trouble to dig deeply into the Role-Based Access Control (RBAC) capabilities of ISE. Rather than define the exact data fields/types and roles necessary to integrate, it was easier for them to just say to use a superuser account.
Highlighted
Beginner

Re: ISE Prime integration superuser admin

Thanks Marvin, that's what I thought.

That's not good and I understand that the customers don't like it.

Highlighted
Cisco Employee

Re: ISE Prime integration superuser admin

Since ISE 2.0, the user could be one of the following ISE admin user roles:

SUPER_ADMIN,SYSTEM_ADMIN,MNT_ADMIN

 

View solution in original post

Highlighted
Beginner

Re: ISE Prime integration superuser admin

Hello @hslai ,
Cisco TAC says that it is not possible:


Please be advised that the credentials should be superuser credentials local to ISE. Otherwise, ISE integration does not work.

 


May you please give any screenshots to proof it works? We have a ssh issue connecting PI to ISE(the reason to ask TAC for help) and we can't test it ourselves.

 

Thanks a lot!

Highlighted
Cisco Employee

Re: ISE Prime integration superuser admin

... We have a ssh issue connecting PI to ISE(the reason to ask TAC for help) and we can't test it ourselves.

...


PI does not connect to ISE via SSH AFAIK. Only Cisco DNA Center requires ssh to ISE.

Introduction to the Monitoring REST APIs is where we documented the admin role requirements due to CSCur87193, which is not customer visible due to lack of a release-note-enclosure. We were supposed to be documented in ISE compatibility matrix but somehow the info lost and our BE is not regularly testing ISE integration with PI.

IIRC we tested it successfully with ISE 2.0/2.1 and PI 3.1 in CY2016. As that is 4 years ago, the setup is no longer available.

 

Highlighted
Beginner

Re: ISE Prime integration superuser admin

@hslai  Thank you for clarification! That's inspiring. Will post what we'll be able to do.

SSH - my fault, I meant TLS of course.  

Highlighted
Beginner

Re: ISE Prime integration superuser admin

Have same question here. 

Customer with highly secure environment doesn't want to allow any unnecessary superuser access to ISE . Especially since there is no explict documentation neither in ISE configuration guides or PI configuration guides...

 

Also there is no explanation, how does PI interacts with ISE - ports or protocols we should open on firewalls seems to be investigated by packet capture... 

 

Highlighted
Hall of Fame Guru

Re: ISE Prime integration superuser admin

Ports and protocols I can answer - it is tcp/443 transporting TLS 1.2 (unless you have some really old unsupported releases in which case it's TLS 1.1).

Highlighted
Beginner

Re: ISE Prime integration superuser admin

Thanks a lot for that!

 

Is there any references in documentation? Unfortunately, we can't just refer to Cisco community, customer's security department need a proof for every ACL created...

 

Highlighted
Hall of Fame Guru

Re: ISE Prime integration superuser admin

The ISE server is added from the PI side. When you do that, the port is shown in the GUI:

ISE-PI Integration.PNG

 

Additionally you can easily run tcpdump on the ISE node (Operations > Troubleshoot > Diagnostic Tools) and see the traffic. Packet capture doesn't lie, no matter what the guides show (or don't show).

 

ISE-PI pcap.PNG

Highlighted
Beginner

Re: ISE Prime integration superuser admin

Marvin, thank you very much!