Link to home
Start Free TrialLog in
Avatar of Deepak Muralidharan
Deepak MuralidharanFlag for Singapore

asked on

Cisco ISE trying to use Super user credentials to access AD servers

Hi Experts,

Is there a way to check on Cisco ISE logs why it's using Some privileged account to access various AD servers around the global branches ?  Is there any setting or log filter show why or which device being acceSsed by ISE ?

Logs like below found on SIEM,
Caller computer name : \\ companyISE01
Caller IP address :
Account lock out : Administrator
Account lockout Domain: domain name

Subject account name : user account
Subject account domain: domain

Device host ame : company.us.com
Address:10.12.3.4
Device event class ID : Microsoft-windows -security - auditing:4740

This rule triggers on every instance windows event ID 4740- a user account was locked out.

Sincerely
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image

You can check the reports in Operations -> Reports
Avatar of Deepak Muralidharan

ASKER

Which one of the reports I need to choose ? I can't find anything which shows ISE accessing other devices

Authentication reports shows only user Authentication, even among other logs unable to find something related to ISE access
OK, well ISE will query AD periodically to check user accounts and group SIDs, so really it should be using its own service account instead of an administrator account that probably has a different password than the one that was used to join ISE to the domain. That's likely to be the reason why the account is being locked out.
The issue is not ISE is trying to connect to local domain which it is supposed to connect to. It's trying to connect to servers belong to overseas domain using a privileged account! That alert is from SIEM , But on ISE box itself it's only connecting to local ADs. So have no clue on what exactly is happening
I understand that.

Have you configured ISE to use groups from the overseas AD? If not, have you configured AD sites and services correctly.
Overseas ADs are not included as authenticated users , also We have only included local ADs and related services.
So your remote ADs are totally separate domains in different forests?
Yes , so we need to know why its trying to access there
Are the domains trusted by eachother?
yes, from info given by client .
So ISE is trying to query a remote AD based on an attempted authentication by someone who is using a user or machine account in the remote domain.

What version of ISE are you running?
No , the ISE is trying to use privilege account to get into servers on remote ADs.

ISE version is 2.0
ASKER CERTIFIED SOLUTION
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
that should be a very good approach