Policy [ 1) AAA - 2) local DB ] to access the web interface of ISE 3.2

Gioacchino · ‎02-22-2024

Hi Cisco ISE admin folks,

is there a way to force users to use LDAP insted of local users, as long as LDAP can be reached?
How are you enforcing this? (*) I see that this policy can be specified in the web GUI, but there is also an option in the CLI where actually onlu TACACS+ can be specified.

What would be the difference?

TIA, Gio

(*) What I would do, but maybe there ia better method, is to change the shared (how? I wouldn't know, maybe API?) admin pwd regularly and store in vault. I assume users would prefer to use their own LDAP pwd rather than logging into the vault to pick up the current valid password of a shared user. Just my 2 cents.

Arne Bier · ‎02-22-2024

Hi @Gioacchino

Are you talking about ISE Admin Access (your subject line says "... to access ISE 3.2") ? Or do you mean TACACS+?

If TACACS+, then the answer might lie with creating an Identity Source Sequence where the Internal Users comes before the LDAP External Identity. That will ensure that internal users are looked up first.

If you're talking about ISE Admin access, LDAP is an accepted identity source. This means that on the ISE web login page, the default will be LDAP credentials. And the only way to login to ISE Admin UI using internal admin creds, is by selecting the drop-down page on the ISE login page and selecting the option "Internal". But this must be done (or remember to do!) by the person logging into the web UI.

Gioacchino · ‎02-23-2024

Hi @Arne Bier ,

yes, I'm presented with both but I'd like to force users to use LDAP and not to use the internal DB.

In routers/switches, we have a sort of fallback, where if access to remote servers times out, then local DB is used.

I'm looking for such a solution for ISE too, in case it exists.

Gio

Aref Alsouqi · ‎02-23-2024

As @Arne Bier mentioned you could achieve this by setting the LDAP on top of the internal users in a source identity sequence profile, and then associating that sequence profile to the authentication rule. That way, the LDAP will be checked first, and if no user is found it will then check against the local internal users database.

Gioacchino · ‎02-23-2024

Thanks@Aref Alsouqi , but I'm speaking of logging onto the ISE itself via its Web GUI, and as per what @Arne Bier said, there is no way to achieve this. ISE will always present, through a drop-down menu, all the sources against which the users must be authenticated.

Aref Alsouqi · ‎02-23-2024

I see. Yeah in case of accesses to ISE itself you can point to your AD or to ISE local users database. When you open up the UI page, ISE by default gives the option to point to the AD, and if you want to use a local network user account, you have to click on the dropdown menu and select internal.

Gioacchino · ‎02-23-2024

Seen it is a security product and it enforces security wherever and whenver its fathers thought it would be necessary, I thought they would enforce the authentication chain as in routers..

Ok, thanks

Aref Alsouqi · ‎02-23-2024

Even when you configure SAML I think it will show up as an addition button on the login screen rather than having it in an authentication sequence.

Arne Bier · ‎02-23-2024

@Gioacchino - if you want to prevent users from logging into the ISE GUI using a local admin credential, then simply change the default admin password to something super-secret, and only tell those users you trust (small circle). For everyone else, they should login using whatever external identity source you have configured - e.g. LDAP, AD.

The accounts on the CLI are a separate database too - each ISE node has its own local collection of user accounts for the CLI. Take care of those. Perhaps create an additional user account per node and store the credentials in a vault somewhere. I would not recommend enabling AD auth for the CLI - it's a clunky implementation and since the CLI is not something you would regularly access, I don't think AD is required.

Gioacchino · ‎02-25-2024

Thanks @Arne Bier ,

we don't have dozens of nodes, hence an update on regualr basis should be doable. Still, I wonder if that might be done in an automated way. API?

Thanks, Gio

Arne Bier · ‎02-25-2024

@Gioacchino what exactly do you want to do in an automated way (API) ?

Gioacchino · ‎02-26-2024

Change the password of the local accounts on a regualr basis.
Ansible might do the trick.

Thanks, Gio

Greg Gibbs · ‎02-25-2024

If you are asking about updating internal Admin account (used for the GUI) passwords via API, the answer is no. The API currently only provides Read operations for Admin user accounts. There are no Create, Update, or Delete operations available via API.
https://developer.cisco.com/docs/identity-services-engine/latest/#!adminuser

If are asking about automating updates to CLI admin account (which are separate from the GUI accounts) passwords, you would need to look at leveraging Ansible or other scripting tool that can SSH into the ISE nodes and use CLI commands to change the passwords. This is not a function that the ISE APIs can perform.