Deepak Muralidharan
asked on
Cisco ISE trying to use Super user credentials to access AD servers
Hi Experts,
Is there a way to check on Cisco ISE logs why it's using Some privileged account to access various AD servers around the global branches ? Is there any setting or log filter show why or which device being acceSsed by ISE ?
Logs like below found on SIEM,
Caller computer name : \\ companyISE01
Caller IP address :
Account lock out : Administrator
Account lockout Domain: domain name
Subject account name : user account
Subject account domain: domain
Device host ame : company.us.com
Address:10.12.3.4
Device event class ID : Microsoft-windows -security - auditing:4740
This rule triggers on every instance windows event ID 4740- a user account was locked out.
Sincerely
Is there a way to check on Cisco ISE logs why it's using Some privileged account to access various AD servers around the global branches ? Is there any setting or log filter show why or which device being acceSsed by ISE ?
Logs like below found on SIEM,
Caller computer name : \\ companyISE01
Caller IP address :
Account lock out : Administrator
Account lockout Domain: domain name
Subject account name : user account
Subject account domain: domain
Device host ame : company.us.com
Address:10.12.3.4
Device event class ID : Microsoft-windows -security - auditing:4740
This rule triggers on every instance windows event ID 4740- a user account was locked out.
Sincerely
You can check the reports in Operations -> Reports
ASKER
Which one of the reports I need to choose ? I can't find anything which shows ISE accessing other devices
Authentication reports shows only user Authentication, even among other logs unable to find something related to ISE access
Authentication reports shows only user Authentication, even among other logs unable to find something related to ISE access
OK, well ISE will query AD periodically to check user accounts and group SIDs, so really it should be using its own service account instead of an administrator account that probably has a different password than the one that was used to join ISE to the domain. That's likely to be the reason why the account is being locked out.
ASKER
The issue is not ISE is trying to connect to local domain which it is supposed to connect to. It's trying to connect to servers belong to overseas domain using a privileged account! That alert is from SIEM , But on ISE box itself it's only connecting to local ADs. So have no clue on what exactly is happening
I understand that.
Have you configured ISE to use groups from the overseas AD? If not, have you configured AD sites and services correctly.
Have you configured ISE to use groups from the overseas AD? If not, have you configured AD sites and services correctly.
ASKER
Overseas ADs are not included as authenticated users , also We have only included local ADs and related services.
So your remote ADs are totally separate domains in different forests?
ASKER
Yes , so we need to know why its trying to access there
Are the domains trusted by eachother?
ASKER
yes, from info given by client .
So ISE is trying to query a remote AD based on an attempted authentication by someone who is using a user or machine account in the remote domain.
What version of ISE are you running?
What version of ISE are you running?
ASKER
No , the ISE is trying to use privilege account to get into servers on remote ADs.
ISE version is 2.0
ISE version is 2.0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
that should be a very good approach