Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
747
Views
2
Helpful
2
Replies

Cisco ISE "Unknown" Super Admin Member

alex.f.
Level 1
Level 1

‎05-08-2024 01:01 PM - edited ‎05-08-2024 01:03 PM

Hi,

I am tasked with the initial configuration of an ISE deployment (primary/secondary).

During the AD join and enabling AD admins to access the GUI via External Identity Source I see two members in the Admin group -> Super Admin.

First -> admin2 (this is the admin user added by the customer during installation)

Second -> ~internal-edda-ers-user991

 

I don't know this user and it looks like some kind of "system API account".

 

So. for now I'm clueless and I can't find any helpful information.

Can anyone explain to me how this user is created?

What service does this account use?

0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎05-08-2024 02:29 PM

Those are local admin accounts that are not created as part of a default ISE install - looks like those were manually created.

They also have nothing to do with your AD integration. Are you asking whether to remove them, or what they might be for?

The "ers" in the 2nd username does seem to relate to some kind of API user. There is an ERS User Group that limits the access for those types of accounts - you don't want people logging in with that account - it should be limited to making REST API calls only.

You can have a mix of local ISE Admin users, as well as AD Admin users. During the ISE Web GUI login, the default screen will display option to login with the AD Join accounts, but you can select "local accounts" from the drop down. You will always have at least one local ISE Admin user account to log into the GUI in the event that the AD join is not working. Or as a last resort option. It's also a useful account for things like Cisco DNAC/ISE integration. But you can create multiple ISE local admin accounts and it's a good practice to have

During an ISE install, the first (default) ISE user is called 'admin'. Perhaps someone thought they were being more security conscious and chose the username 'admin2'. But that is just a guess.

As for the second username, perhaps someone in your organisation is making API calls to ISE, using the ERS interface. You should be able to run an Operations audit report to see if that user has logged in in the last 30 days.

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎05-08-2024 04:00 PM - edited ‎05-08-2024 04:02 PM

Actually, there are some internal Super Admin user accounts that are created automatically in newer versions of ISE for some of the more recent feature enhancements. Here is an example screenshot from my ISE 3.2 patch 5 instance:

Screenshot 2024-05-09 at 8.55.17 AM.png

The 'edda' reference is related to the pxGrid Direct feature and the 'mctrust' reference is related to the Meraki Sync Service feature. I believe both of these functions run as Docker containers, so I suspect these are internal admin accounts used for authentication of internal communications related to those container microservices.

Customers Also Viewed These Support Documents