02-11-2021 06:24 AM
Hello community
I'm currently preparing a migration from ACS to ISE 3.0. We use ACS as TACACS service for all our switches and we have local user accounts. Because of security recommendations I'd like to move away from local accounts to AD authentication. However, our AD accounts are some random numbers and all our device admins are used to authenticate with a very simple 2-letter acronym of their name. We cannot make any changes to AD as this is managed by a whole other team.
My question thus is, can we somehow map an alias to an AD-account name in ISE? For example, a device admin named Steve Johnson, logs in with credential SJ, but his AD account is T1598863.
Thanks
02-11-2021 07:44 AM
>I'd like to move away from local accounts to AD authentication
In case of network lockups it may be desirable to keep a local account available too on a switch.
>can we somehow map an alias to an AD-account name in ISE
- I doubt this can be done, but even it could. Remember ISE is a corner-stone of your Intranet security environment. Good integration or communication with the AD-admin group is therefore strongly recommended.
M.
02-12-2021 10:07 AM
Not really what it's meant for but I used identity rewrite to achieve this. It's only 10 people or so that manage the switches on a daily basis so it's manageable with identity rewrite.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide