Cisco ISE trying to use Super user credentials to access AD servers

Hi Experts,

Is there a way to check on Cisco ISE logs why it's using Some privileged account to access various AD servers around the global branches ?  Is there any setting or log filter show why or which device being acceSsed by ISE ?

Logs like below found on SIEM,
Caller computer name : \\ companyISE01
Caller IP address :
Account lock out : Administrator
Account lockout Domain: domain name

Subject account name : user account
Subject account domain: domain

Device host ame : company.us.com
Address:10.12.3.4
Device event class ID : Microsoft-windows -security - auditing:4740

This rule triggers on every instance windows event ID 4740- a user account was locked out.

Sincerely
Deepak MuralidharanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
You can check the reports in Operations -> Reports
Deepak MuralidharanAuthor Commented:
Which one of the reports I need to choose ? I can't find anything which shows ISE accessing other devices

Authentication reports shows only user Authentication, even among other logs unable to find something related to ISE access
Craig BeckCommented:
OK, well ISE will query AD periodically to check user accounts and group SIDs, so really it should be using its own service account instead of an administrator account that probably has a different password than the one that was used to join ISE to the domain. That's likely to be the reason why the account is being locked out.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Deepak MuralidharanAuthor Commented:
The issue is not ISE is trying to connect to local domain which it is supposed to connect to. It's trying to connect to servers belong to overseas domain using a privileged account! That alert is from SIEM , But on ISE box itself it's only connecting to local ADs. So have no clue on what exactly is happening
Craig BeckCommented:
I understand that.

Have you configured ISE to use groups from the overseas AD? If not, have you configured AD sites and services correctly.
Deepak MuralidharanAuthor Commented:
Overseas ADs are not included as authenticated users , also We have only included local ADs and related services.
Craig BeckCommented:
So your remote ADs are totally separate domains in different forests?
Deepak MuralidharanAuthor Commented:
Yes , so we need to know why its trying to access there
Craig BeckCommented:
Are the domains trusted by eachother?
Deepak MuralidharanAuthor Commented:
yes, from info given by client .
Craig BeckCommented:
So ISE is trying to query a remote AD based on an attempted authentication by someone who is using a user or machine account in the remote domain.

What version of ISE are you running?
Deepak MuralidharanAuthor Commented:
No , the ISE is trying to use privilege account to get into servers on remote ADs.

ISE version is 2.0
Craig BeckCommented:
ISE will not try to access anything in remote ADs - it will just try to authenticate users/machines and verify groups.

The OS itself is a Linux kernel with no way of talking to a remote AD.  The ISE application only queries AD.  It can not do anything apart from query user or machine accounts and groups.  It does nothing more than that.

If you are seeing logs from the ISE server using a privileged account (ie, Administrator) it is because you used that account to join the ISE server to the local domain and ISE is trying to authenticate a user or machine in the remote domain using that account.  I can pretty-much guarantee that the administrator account uses a different password now.

Create a service account for ISE, then rejoin it to the domain using that account.  The problem will disappear.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Deepak MuralidharanAuthor Commented:
that should be a very good approach
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.