ISE Admin Access

on


ISE CLI and GUI have separate DB, with initial setup,   admin account is synch between CLI and GUI,
later change will not be synched.


Important: Add additional CLI local accounts, (this CLI account is not synched to GUI)

conf t username <new user> password plain <password> role admin

!!restricted access username <new user> password plain <password> role user


Reset CLI admin account password 

application reset-passwd ise admin

Admin GUI access with AD account

Summary steps

1. ISE join AD

2. Enable admin access using AD

3. Configure Admin Group to AD group mapping

4. Set RBAC permission for the admin group


Detail Steps:

1. ISE join AD

    ISE joined corp.local domain
    AD group NetworkAdmins is added to ISE AD Groups list












2. Enable admin access using AD













3. Add a new ISE administrators Group and map it to an AD group.













4. Set RBAC permission for the admin group
    Duplicate "Super Admin Policy" , create a new policy "AD Admin Policy" for group "AdminGroup-AD"















reference:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116503-configure-product-00.html



Comments

Post a Comment