Cisco ISE trying to use Super user credentials to access AD servers

Deepak Muralidharan
Deepak Muralidharan used Ask the Experts™
on
Hi Experts,

Is there a way to check on Cisco ISE logs why it's using Some privileged account to access various AD servers around the global branches ?  Is there any setting or log filter show why or which device being acceSsed by ISE ?

Logs like below found on SIEM,
Caller computer name : \\ companyISE01
Caller IP address :
Account lock out : Administrator
Account lockout Domain: domain name

Subject account name : user account
Subject account domain: domain

Device host ame : company.us.com
Address:10.12.3.4
Device event class ID : Microsoft-windows -security - auditing:4740

This rule triggers on every instance windows event ID 4740- a user account was locked out.

Sincerely
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2014

Commented:
You can check the reports in Operations -> Reports

Author

Commented:
Which one of the reports I need to choose ? I can't find anything which shows ISE accessing other devices

Authentication reports shows only user Authentication, even among other logs unable to find something related to ISE access
Top Expert 2014

Commented:
OK, well ISE will query AD periodically to check user accounts and group SIDs, so really it should be using its own service account instead of an administrator account that probably has a different password than the one that was used to join ISE to the domain. That's likely to be the reason why the account is being locked out.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
The issue is not ISE is trying to connect to local domain which it is supposed to connect to. It's trying to connect to servers belong to overseas domain using a privileged account! That alert is from SIEM , But on ISE box itself it's only connecting to local ADs. So have no clue on what exactly is happening
Top Expert 2014

Commented:
I understand that.

Have you configured ISE to use groups from the overseas AD? If not, have you configured AD sites and services correctly.

Author

Commented:
Overseas ADs are not included as authenticated users , also We have only included local ADs and related services.
Top Expert 2014

Commented:
So your remote ADs are totally separate domains in different forests?

Author

Commented:
Yes , so we need to know why its trying to access there
Top Expert 2014

Commented:
Are the domains trusted by eachother?

Author

Commented:
yes, from info given by client .
Top Expert 2014

Commented:
So ISE is trying to query a remote AD based on an attempted authentication by someone who is using a user or machine account in the remote domain.

What version of ISE are you running?

Author

Commented:
No , the ISE is trying to use privilege account to get into servers on remote ADs.

ISE version is 2.0
Top Expert 2014
Commented:
ISE will not try to access anything in remote ADs - it will just try to authenticate users/machines and verify groups.

The OS itself is a Linux kernel with no way of talking to a remote AD.  The ISE application only queries AD.  It can not do anything apart from query user or machine accounts and groups.  It does nothing more than that.

If you are seeing logs from the ISE server using a privileged account (ie, Administrator) it is because you used that account to join the ISE server to the local domain and ISE is trying to authenticate a user or machine in the remote domain using that account.  I can pretty-much guarantee that the administrator account uses a different password now.

Create a service account for ISE, then rejoin it to the domain using that account.  The problem will disappear.

Author

Commented:
that should be a very good approach

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial