Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ISE 1.1.2.145 Admin Authentication using LDAP

I have configured the LDAP and able to retrive our LDAP directory structure. Now, I am trying to point the 'Admin Access' authentication to "External Identity" Source which is the new LDAP IS I created. But I couldn't find an option to authenticate locally if for any reason the LDAP configuration doesn't work. I learnt that ISE can automatically revert to local auth provided the External Idenitity sources are unreachable. How can I test the LDAP authentication with out breaking our Admin Access? I thought of opening two parallel sessions, one with Super Admin Local Account and the other with Domain account. But I noticed that ISE communication is smart enough to logoff/login any other sessions in different browsers so basically I can't open two parallel sessions from same machine to do the tests. Suggestions? or Am I missing something here?

Many thanks in advance.

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Cisco ISE 1.1.2.145 Admin Authentication using LDAP

Hi Srinivas,

Even if you set up LDAP as an External Identity source for admin access, you can still fallback to Internal without getting locked out. As per the ISE user guide :

During operation, Cisco ISE is designed to "fall  back" and attempt to perform authentication from the internal identity  database, if communication with the external identity store has not been  established or if it fails. In addition, whenever an administrator for  whom you have set up external authentication launches a browser and  initiates a login session, the administrator still has the option to  request authentication via the Cisco ISE local database by choosing  "Internal" from the Identity Store drop-down selector in the login dialog.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_identities.html#wp1351543

Please refer to the attached screenshot from my lab ISE:

AdminAuth.jpg

I have configured admin authentication against AD, but I still see both "Internal" and "AD" at the time of login.

Hope this helps.

Thanks,

Aastha

Cisco Employee

Re: Cisco ISE 1.1.2.145 Admin Authentication using LDAP

Srinivas,

You will see this option when you have enabled AD or any other external Identity Source for Admin authentication. You can find this setting from ISE GUI under Administration > System > Admin Access > Authentication > Authentication Method.

Under Password Based authentication, the Identity Source is set to Internal by default. Once you change it to AD, or LDAP, you will start seeing that ID source on the login dropdown.

Thanks,

Aastha

7 REPLIES
Cisco Employee

Cisco ISE 1.1.2.145 Admin Authentication using LDAP

Srinivas,

Do you have users authenticating 24 hours a day?  If not, then set up an off-hours experiment.

Set the Admin Access Authentication Method to LDAP and log out then back in to the ISE.

Once you verify this works, disconnect the ISE from the network and connect it to a switch between just it and your PC.  Try to log in.  Use both the LDAP and Internal Admin User credentials. 

Verify which one works, reconnect the ISE to the main network and post your findings here.

If you do have 24 hour authentications, you may want to set up a test lab with a VM to research this.

Sorry, but I cannot find any definitive documentation on this.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

Cisco Employee

Re: Cisco ISE 1.1.2.145 Admin Authentication using LDAP

Hi Srinivas,

Even if you set up LDAP as an External Identity source for admin access, you can still fallback to Internal without getting locked out. As per the ISE user guide :

During operation, Cisco ISE is designed to "fall  back" and attempt to perform authentication from the internal identity  database, if communication with the external identity store has not been  established or if it fails. In addition, whenever an administrator for  whom you have set up external authentication launches a browser and  initiates a login session, the administrator still has the option to  request authentication via the Cisco ISE local database by choosing  "Internal" from the Identity Store drop-down selector in the login dialog.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_identities.html#wp1351543

Please refer to the attached screenshot from my lab ISE:

AdminAuth.jpg

I have configured admin authentication against AD, but I still see both "Internal" and "AD" at the time of login.

Hope this helps.

Thanks,

Aastha

New Member

Re: Cisco ISE 1.1.2.145 Admin Authentication using LDAP

Aastha: How did you manage to display Identity Sources on the Login Page? I am using Super Admin account and the portal login doesn't have this menu/drop down with Identity Sources listed.

Thanks for your help.

Srinivas

Cisco Employee

Re: Cisco ISE 1.1.2.145 Admin Authentication using LDAP

Srinivas,

You will see this option when you have enabled AD or any other external Identity Source for Admin authentication. You can find this setting from ISE GUI under Administration > System > Admin Access > Authentication > Authentication Method.

Under Password Based authentication, the Identity Source is set to Internal by default. Once you change it to AD, or LDAP, you will start seeing that ID source on the login dropdown.

Thanks,

Aastha

New Member

Cisco ISE 1.1.2.145 Admin Authentication using LDAP

Aah! Thats what I was concerned to change thinking that if I change it and if it doesnt work, I might loose Admin Access to it. Thanks much, Aastha. I will have to schedule a change and get this done. I will keep you posted on the progress.

Many thanks once again.

Cisco Employee

Cisco ISE 1.1.2.145 Admin Authentication using LDAP

You're welcome Srinivas! Let me know how it goes.

Thanks,

Aastha

New Member

Re: Cisco ISE 1.1.2.145 Admin Authentication using LDAP

It worked! Thanks a ton, Aastha.

Charles: Thanks for your tips as well.

471
Views
0
Helpful
7
Replies