Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1777
Views
10
Helpful
7
Replies

ISE 2.3 - ISE Admin Access with AD Accounts

SHANNON WYATT
Level 1
Level 1

‎11-02-2017 06:45 AM - edited ‎02-21-2020 10:37 AM

Working on a fresh deployment of ISE 2.3 with Patch one applied. I've setup authentication into ISE to use AD, but some data is being filtered. I've created a single AD group for admin access, and I've created the linkage between that group and super admin menu access group. It is odd. I can see the alarms on the summary page and I click an alarm, but when it opens the alarm page I cannot acknologe the alarm. Other things are off as well, like when I go to network devices I can see that there are network devices, in the right hand corner it shows 0 selected | Total 130, but none are displayed. Has anyone else run into this issue?

1 person had this problem
Labels:
0 Helpful
7 Replies 7

SHANNON WYATT
Level 1
Level 1

‎11-02-2017 07:08 AM

Well, that didn't take too long to resolve. I added menu access, but no data access. :-(

 

It is working fine now. 

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to SHANNON WYATT

‎11-02-2017 08:34 AM

Good catch!

 

You're not alone - I did the same thing myself when I first setup RBAC on ISE.

0 Helpful

SHANNON WYATT
Level 1
Level 1
In response to Marvin Rhoads

‎11-02-2017 08:36 AM

Argh, still don't see the TACACs logs.
0 Helpful

ajc
Level 7
Level 7
In response to SHANNON WYATT

‎11-02-2017 08:40 AM - edited ‎11-02-2017 06:18 PM

There is an identified bug on admin access when using AD accounts & duplicated default profiles (RBAC issue). Not sure if it was solved on 2.3. On my case, NO matter if I assigned super admin privileges to an specific AD Group, acknowledging the alarms is disabled, some tabs are not displayed, changing menu/data access visibility randomly works, etc. Answer I got was, you cannot duplicate or modify the default profiles for network administrator, helpdesk, etc. By now, I use the internal super admin account to manage the admin access profiles and permissions.

0 Helpful

SHANNON WYATT
Level 1
Level 1
In response to ajc

‎11-02-2017 08:43 AM

I'm opening a TAC case to verify if that is the issue in this case. I'm having another issue so I figured it makes sense to check. 

0 Helpful

SHANNON WYATT
Level 1
Level 1
In response to SHANNON WYATT

‎11-10-2017 05:38 AM

TAC has had the case for a week and no response. 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to SHANNON WYATT

‎11-10-2017 05:50 AM

You should call the TAC and ask that your case be re-queued and/or to speak to the duty manager.

 

Assuming it was opened with the default severity level (Severity 3) you should have an initial response within 72 hours and updates at least every 72 hours thereafter.

 

https://www.cisco.com/c/dam/en_us/about/doing_business/legal/service_descriptions/docs/Cisco_Severity_and_Escalation_Guidelines.pdf

0 Helpful
Customers Also Viewed These Support Documents