Cisco ISE Users and How to configure Them

The Cisco ISE tool is one of the fewer platforms which has different user accounts for different purposes.

In the Cisco ISE, there are three types of users.

• CLI User
• Portal user (used to access GUI interface)
• Network Access User

Cisco ISE CLI User

The CLI user account is the first created at the initial setup of ISE when you create the admin account. The first admin account can also be used to access the ISE Portal, however, this is an exception where the same account can access both interfaces. Of course, this is because is the first account created, and it is highly recommended that this credential does not share with others. Access to this credential must be limited to the one who deployed the ISE, or to someone who will be responsible to manage the tool. It needs to be in a safe place with restricted access.

Using the first admin credential will be possible to create new users in the CLI.

Maybe a question comes to mind? What is the purpose of CLI on Cisco ISE if the configurations are applied by GUI?

CLI can be used for multiple purposes.

• Administrators can execute all the system-level configurations, such as clock, hostname, interface, NTP, and others.
• Beyond the configuration, it allows you also to start and stop the applications, execute a backup in case you have any issue with the GUI interface, export logs, and other functionalities.

For the CLI mode, two types of roles can be created:

• admin which will have administrative roles and privileges,?
• and user which will have read-only roles and privileges.

The structure of the command is: username || <username account> || password || hash/plain || <password> || role || admin/user || email || <email address> || disabled

Note: the information between < > symbols means the data that need to be filled up by the administrator who is creating the account.

• username: is the command to create the new account
• <username account>: the account that is being created
• password: part of the command
• hash or plain: if you type hash, it means that you are inserting the password in hash mode already. Usually, it is chosen as plain and in the running-config, it will be hashed.
• <password>: type the password
• role: choose the role, admin or user
• email: it's optional
• <email address>: in case you include the email option.
• disabled: in case you want to disable the account

Below there is a picture showing how to create the account.

Now with the account created, exit the privilege mode and issue the command show running-config | include username and you will see that the account is created and the password is on hash mode.

You can also create an account with a role user and play a little to see the difference between admin and user. You will see that the user privilege has minimal commands.

Administrative Users (Admin Access)

The administrative user has the job role to administer the ISE portal, through the GUI interface. The accounts are located in the menu Administration > System > Admin Access > Administrators > Admin Users.

Initially, you will see only the admin account, which was configured in the ISE setup.

To create a new account click on Add. You can choose to create a new admin user or select from Network Access User. It will be created a new user, and after selecting this option, fills up the fields as per below and click Submit.

At the moment of Admin user creation, you can select the Group to which it will belong. In this example, we will create only one admin, that will be part of the Helpdesk Admin Group. Based on the Group selected, the access level in the GUI will differentiate.

To have an overview of each group type, select the option Admin Groups, below Admin Users.

Note: As we already have the default admin account, after creating Helpdesk_Admin, we can see the difference in the menu for both accounts. The first admin account is part of the Super Admin Group.

You can see that with the Super Admin account the user has full access to all the menus. Now, let's log out Admin account and log in Helpdesk_Admin, and look that the Helpdesk account has only four menus with very limited options.

Now there are two Admin users in the admin access database, as per the image below.

For admin access purposes, ISE allows integration with the AD database, then instead of login with a local username, the user will login with AD credentials.

To perform this integration, I created two accounts and two groups in AD.

• User_NetworkAdmin - a member of group Network_Admin
• User_NetworkHelpdesk - a member of group Network_Helpdesk

Have in mind that to proceed with this integration, both groups must be added to AD Groups in the External Identity Source. If you do not know how to add the group or have any doubts to add the groups, check out this article Cisco ISE and Active Directory Integration.

To start the integration, go to Administration > System > Admin Access > Authentication and change the Identity Source to AD:labise.com, then click on Save.

After this, go to Administrator > Admin Groups. Click on Add, insert the Group Name, and select the Type External box. After you select the External, will appear the option External Groups, then you can choose the group that you want to add. In this case, it will be selected the Network_Admin Group, then click on submit. Repeat the same process for the Network_Helpdesk Group.

Below is a picture after both groups are included in the Admin Groups.

Now with the groups created, you need to create an RBAC (Role Based Access Control) Policy for both groups which contains the Administrator and Helpdesk accounts.

Note: A RBAC is self-explanatory. With RBAC you will define the type of privileges/rules that each group will have. There are some default RBAC policies created for the default ISE groups, but you can also create a new customized rule, depending on your needs.

On the same screen of Admin Groups, go to the left menu and select Authorization > RBAC Policy. From this screen, two Rule names will be duplicated, Super Admin Policy and Helpdesk Admin Policy. To duplicate the policies, click on the button Actions, on the right side.

For the new line, rename it as Network Admin - Full Access, and on the second column Admin Groups, select the group Network_Admin, previously created/imported from AD. For the third column, there is no need to change anything, as we want to have this group with the same privilege then Super Admin. After completing this process, click on Save.

Now, repeat the same process for Helpdesk Admin Policy, and set the Rule Name as Network Helpdesk - Helpdesk Access, and on the second column select the group Network_Helpdesk. The third column does not change anything. After completing this process, click on Save.

Now it's time to test the access.

On the login page, insert the AD credentials. Look that after integrating ISE with AD, the Identity Source will have two options, Internal and Domain Name. Of course, as you are connecting with a user from AD, you select the DNS name and click on Login.

After the login, you will see that the ISE dashboard loaded when using the AD account user_networkadmin is the same when using the local admin account.

You can also log in with the user_networkhelpdesk account and see what will be the result.

Network Access User

With the network access user, you will be able to authenticate in a Wi-Fi or a wired network, using the RADIUS protocol. There are two ways that the authentication can happen in the network, using an account from the External Identity Store (AD, LDAP, OTP servers, smart cards) or Internal Identity Store.

In the authentication process for secure access to networks, is most often used external identities, because it's more scalable and easier to manage.

However, if you have a demand to create a temporary account or do not want to have an account in the corporate store, it can be used in the internal identity store, known as the internal user database. When the account is created, it's needed to select the group of which the account will be part. The group is really to separate the internal users based on the type of access each one will receive or to be easier to create and manage the authorization and authentication policies.

Also, this internal database can be used for TACACS access.

Creating the user is very simple. Go to Administration > Identity Management > Identities > Users.

Click on Add and fill up the information as per below.

If you wish to create a new group, go to Administration > Identity Management > Identities > User Identity Group.

So, we see the three types of users to use in ISE.

I hope you enjoyed this read!

Jonas Resende