05-08-2024 01:01 PM - edited 05-08-2024 01:03 PM
Hi,
I am tasked with the initial configuration of an ISE deployment (primary/secondary).
During the AD join and enabling AD admins to access the GUI via External Identity Source I see two members in the Admin group -> Super Admin.
First -> admin2 (this is the admin user added by the customer during installation)
Second -> ~internal-edda-ers-user991
I don't know this user and it looks like some kind of "system API account".
So. for now I'm clueless and I can't find any helpful information.
Can anyone explain to me how this user is created?
What service does this account use?
05-08-2024 02:29 PM
Those are local admin accounts that are not created as part of a default ISE install - looks like those were manually created.
They also have nothing to do with your AD integration. Are you asking whether to remove them, or what they might be for?
The "ers" in the 2nd username does seem to relate to some kind of API user. There is an ERS User Group that limits the access for those types of accounts - you don't want people logging in with that account - it should be limited to making REST API calls only.
You can have a mix of local ISE Admin users, as well as AD Admin users. During the ISE Web GUI login, the default screen will display option to login with the AD Join accounts, but you can select "local accounts" from the drop down. You will always have at least one local ISE Admin user account to log into the GUI in the event that the AD join is not working. Or as a last resort option. It's also a useful account for things like Cisco DNAC/ISE integration. But you can create multiple ISE local admin accounts and it's a good practice to have
During an ISE install, the first (default) ISE user is called 'admin'. Perhaps someone thought they were being more security conscious and chose the username 'admin2'. But that is just a guess.
As for the second username, perhaps someone in your organisation is making API calls to ISE, using the ERS interface. You should be able to run an Operations audit report to see if that user has logged in in the last 30 days.
05-08-2024 04:00 PM - edited 05-08-2024 04:02 PM
Actually, there are some internal Super Admin user accounts that are created automatically in newer versions of ISE for some of the more recent feature enhancements. Here is an example screenshot from my ISE 3.2 patch 5 instance:
The 'edda' reference is related to the pxGrid Direct feature and the 'mctrust' reference is related to the Meraki Sync Service feature. I believe both of these functions run as Docker containers, so I suspect these are internal admin accounts used for authentication of internal communications related to those container microservices.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide