ISE 1.1.1 - Error when changing password policy

Unanswered Question
Aug 12th, 2013
User Badges:

ISE 1.1.1 connected to Active Directory for both Radius auth and Administration auth.  I have an internal monitor account and the default internal admin account.  When I go to Administration > Admin Access > Authentication > Password Policy and attempt to make any changes I receive the following error:


Error occurred: Unable to save configuration details. Authentication settings could not be saved since the currently configured external source is referred in one or more admin groups.


I assume the error is in regard to using AD to auth an admin group, but I'm not sure why it would interfere with the local password policy of internal users.  The AD connected admin group is a new admin group and not from a default existing group.


Thank you for any assistance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Muhammad Munir Tue, 08/13/2013 - 00:59
User Badges:
  • Cisco Employee,

Hello Richard

If you have configured an external identity source such as LDAP   and want to use that as your
authentication source to grant access to the admin user, you must select that   particular identity
source from the Identity Source list box. Also please check the LDAP port.


Every Cisco ISE administrator account is assigned one or more   administrative roles. To perform the
operations described in the following procedure, you must have any one of the   following roles assigned:
RBAC Admin, Super Admin, or System Admin.


For more information, this link would be helpful to you:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf

see page no: 148

rmcintos2969 Tue, 08/13/2013 - 03:58
User Badges:

Logging in with both internal and external users works just fine.  My problem is changing the password policy for local users as noted above.  The error occurs when changing said policy.

rmcintos2969 Wed, 09/04/2013 - 06:21
User Badges:

This is a known bug in ISE 1.1.x

The workaround is the ensure you're local admin account is enabled.  Log in with the internal admin account.  Then, under your Admin Groups change your external group to be an internal only group.  You can then change your password policy and save it.  Finally, enable your external admin group.


This is fixed in 1.2


Also, I've searched through the bug list and can't find any reference to this, but was told these instructions by TAC.

Actions

This Discussion

Related Content