Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1584
Views
0
Helpful
7
Replies

Cisco ISE 1.1.2.145 Admin Authentication using LDAP

Go to solution
srinivas_mukhyla
Level 1
Level 1

‎02-05-2014 03:59 PM - edited ‎03-10-2019 09:21 PM

I have configured the LDAP and able to retrive our LDAP directory structure. Now, I am trying to point the 'Admin Access' authentication to "External Identity" Source which is the new LDAP IS I created. But I couldn't find an option to authenticate locally if for any reason the LDAP configuration doesn't work. I learnt that ISE can automatically revert to local auth provided the External Idenitity sources are unreachable. How can I test the LDAP authentication with out breaking our Admin Access? I thought of opening two parallel sessions, one with Super Admin Local Account and the other with Domain account. But I noticed that ISE communication is smart enough to logoff/login any other sessions in different browsers so basically I can't open two parallel sessions from same machine to do the tests. Suggestions? or Am I missing something here?

Many thanks in advance.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Aastha Chaudhary
Cisco Employee
Cisco Employee

‎02-06-2014 09:30 AM

Hi Srinivas,

Even if you set up LDAP as an External Identity source for admin access, you can still fallback to Internal without getting locked out. As per the ISE user guide :

During operation, Cisco ISE is designed to "fall  back" and attempt to perform authentication from the internal identity  database, if communication with the external identity store has not been  established or if it fails. In addition, whenever an administrator for  whom you have set up external authentication launches a browser and  initiates a login session, the administrator still has the option to  request authentication via the Cisco ISE local database by choosing  "Internal" from the Identity Store drop-down selector in the login dialog.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_identities.html#wp1351543

Please refer to the attached screenshot from my lab ISE:

AdminAuth.jpg

I have configured admin authentication against AD, but I still see both "Internal" and "AD" at the time of login.

Hope this helps.

Thanks,

Aastha

View solution in original post

0 Helpful

Go to solution
Aastha Chaudhary
Cisco Employee
Cisco Employee
In response to srinivas_mukhyla

‎02-06-2014 01:34 PM

Srinivas,

You will see this option when you have enabled AD or any other external Identity Source for Admin authentication. You can find this setting from ISE GUI under Administration > System > Admin Access > Authentication > Authentication Method.

Under Password Based authentication, the Identity Source is set to Internal by default. Once you change it to AD, or LDAP, you will start seeing that ID source on the login dropdown.

Thanks,

Aastha

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎02-06-2014 07:36 AM

Srinivas,

Do you have users authenticating 24 hours a day?  If not, then set up an off-hours experiment.

Set the Admin Access Authentication Method to LDAP and log out then back in to the ISE.

Once you verify this works, disconnect the ISE from the network and connect it to a switch between just it and your PC.  Try to log in.  Use both the LDAP and Internal Admin User credentials. 

Verify which one works, reconnect the ISE to the main network and post your findings here.

If you do have 24 hour authentications, you may want to set up a test lab with a VM to research this.

Sorry, but I cannot find any definitive documentation on this.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

0 Helpful

Go to solution
Aastha Chaudhary
Cisco Employee
Cisco Employee

‎02-06-2014 09:30 AM

Hi Srinivas,

Even if you set up LDAP as an External Identity source for admin access, you can still fallback to Internal without getting locked out. As per the ISE user guide :

During operation, Cisco ISE is designed to "fall  back" and attempt to perform authentication from the internal identity  database, if communication with the external identity store has not been  established or if it fails. In addition, whenever an administrator for  whom you have set up external authentication launches a browser and  initiates a login session, the administrator still has the option to  request authentication via the Cisco ISE local database by choosing  "Internal" from the Identity Store drop-down selector in the login dialog.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_identities.html#wp1351543

Please refer to the attached screenshot from my lab ISE:

AdminAuth.jpg

I have configured admin authentication against AD, but I still see both "Internal" and "AD" at the time of login.

Hope this helps.

Thanks,

Aastha

0 Helpful

Go to solution
srinivas_mukhyla
Level 1
Level 1
In response to Aastha Chaudhary

‎02-06-2014 01:09 PM

Aastha: How did you manage to display Identity Sources on the Login Page? I am using Super Admin account and the portal login doesn't have this menu/drop down with Identity Sources listed.

Thanks for your help.

Srinivas

0 Helpful

Go to solution
Aastha Chaudhary
Cisco Employee
Cisco Employee
In response to srinivas_mukhyla

‎02-06-2014 01:34 PM

Srinivas,

You will see this option when you have enabled AD or any other external Identity Source for Admin authentication. You can find this setting from ISE GUI under Administration > System > Admin Access > Authentication > Authentication Method.

Under Password Based authentication, the Identity Source is set to Internal by default. Once you change it to AD, or LDAP, you will start seeing that ID source on the login dropdown.

Thanks,

Aastha

0 Helpful

Go to solution
srinivas_mukhyla
Level 1
Level 1
In response to Aastha Chaudhary

‎02-07-2014 08:23 AM

Aah! Thats what I was concerned to change thinking that if I change it and if it doesnt work, I might loose Admin Access to it. Thanks much, Aastha. I will have to schedule a change and get this done. I will keep you posted on the progress.

Many thanks once again.

0 Helpful

Go to solution
Aastha Chaudhary
Cisco Employee
Cisco Employee
In response to srinivas_mukhyla

‎02-07-2014 10:50 AM

You're welcome Srinivas! Let me know how it goes.

Thanks,

Aastha

0 Helpful

Go to solution
srinivas_mukhyla
Level 1
Level 1
In response to Aastha Chaudhary

‎02-21-2014 08:47 AM

It worked! Thanks a ton, Aastha.

Charles: Thanks for your tips as well.

0 Helpful
Customers Also Viewed These Support Documents