Day 93 – Cisco ISE Mastery Training: Multi‑Admin & RBAC

[Day 93] Cisco ISE Mastery Training: Multi-Admin & RBAC


Introduction

When multiple engineers touch Cisco ISE, who can change what becomes mission-critical. ISE’s RBAC (Role-Based Access Control) lets you carve the admin portal into safe zones (Work Centers, menus, data scopes), while Multi-Admin Approval (MAA) adds a second pair of eyes for high-impact changes (e.g., Authorization Policy edits, Network Devices, Certificates). Today you’ll design personas, build custom roles, map AD groups to Admin Groups, enable MAA, then validate everything via GUI and API.


Problem Statement

  • Risk of misconfiguration: One click in Policy Sets can interrupt all access.
  • Audit & separation of duties: Security teams must prove change control and least-privilege.
  • Scale & consistency: As teams grow (Ops, Helpdesk, Guest, SecOps), privilege creep appears.
  • Change control gaps: Emergency changes without review = outages or compliance findings.

Solution Overview (RBAC + MAA)

  • RBAC: Create custom Admin Roles with read/write/no-access per area; bind users via Admin Groups to those roles; authenticate admins internally or with AD/LDAP/SAML.
  • MAA: Force approval workflows before sensitive changes are committed. Requesters propose; Approvers review; ISE records the full audit trail.

Sample Lab Topology

Platform: VMware for ISE PAN/MnT + PSN; EVE-NG for NADs (Cat9K, WLC), Windows 11 Admin VM with SSH/RDP/Browser.

Nodes:

  • ISE PAN/MnT: 10.10.10.10
  • ISE PSN (optional): 10.10.10.11
  • AD DS: 10.10.20.20 (with groups ISE-SuperAdmins, ISE-PolicyAdmins, ISE-Helpdesk, ISE-Auditors, ISE-Approvers)
  • Catalyst 9300: 10.10.30.30
  • 9800-CL WLC: 10.10.30.40
  • Admin PC: 10.10.40.10

Topology Diagram :

Personas we’ll implement:

  • SuperAdmin – full control
  • PolicyAdmin – R/W in Policy Sets & Policy Elements; no System settings
  • Helpdesk – read-only Policies; R/W Endpoints/Guest; no System
  • Auditor – read-only everywhere
  • Approver – can approve MAA requests (separate from SuperAdmin)

Step-by-Step GUI Configuration Guide (with validation)

A) Pre-checks

  1. ISE licenses & services up
    • CLI: ise/admin# show application status ise
    • Validate PAN/MnT is running; PSN optional for this lab.
  2. Time/AD reachability
    • CLI: ise/admin# ntp server sync status (if configured)
    • GUI: Administration → Identity Management → External Identity Sources → Active DirectoryJoin Status: Connected.
    • [Screenshot: AD Join Status]

B) Plan your RBAC matrix

Create a quick table:

PersonaWork Centers & MenusAccess
SuperAdminAllRead/Write
PolicyAdminPolicy Sets, Policy Elements, GroupsRead/Write
HelpdeskEndpoints, Context Visibility, GuestR/W Endpoints & Guest; Read Policies
AuditorAllRead-only
ApproverMAA ConsoleApprove/Deny only

C) Create Custom Admin Roles (RBAC)

Path: Administration → System → Admin Access → Roles

You can set Menu Access (Work Centers, menus) and Data Access (All, Group, Own). We’ll do 4 roles.

  1. Role: ISE-PolicyAdmin
    • Menu Access:
      • PolicyRead/Write
      • Policy ElementsRead/Write
      • Administration → Network Resources (Network Devices/NDGs)Read-only
      • Administration → SystemNo Access
      • Operations → Reports/Live LogsRead
    • Data Access: All
    • Save.
    • [Screenshot: Role Editor – PolicyAdmin]
  2. Role: ISE-Helpdesk
    • Menu Access:
      • EndpointsRead/Write
      • Guest Access (if enabled)Read/Write
      • Policy & Policy ElementsRead
      • Administration → SystemNo Access
    • Data Access: Group (optional if you use Endpoint Identity Groups)
    • Save.
    • [Screenshot: Role Editor – Helpdesk]
  3. Role: ISE-Auditor
    • Menu Access: All Read-only
    • Data Access: All
    • Save.
    • [Screenshot: Role Editor – Auditor]
  4. Role: ISE-Approver
    • Menu Access:
      • Operations → Multi-Admin ApprovalRead/Write
      • Everything else Read-only
    • Save.
    • [Screenshot: Role Editor – Approver]

Validation:

  • After saving each role, re-open to confirm permissions persisted.
  • [Screenshot: Roles list]

D) Configure Admin Authentication (Internal + AD)

Path: Administration → System → Admin Access → Authentication

  1. Enable External Authentication:
    • Choose Active Directory (your joined domain).
    • Select allowed identity stores: AD then Internal Admin as fallback.
    • Save.
    • [Screenshot: Admin Authentication Settings]
  2. Map external groups (AD) to ISE Admin Groups next (Step E).

Validation (CLI/API):

  • GUI test comes later with real logins.
  • API quick probe for admin endpoints (optional; ERS must be enabled):
    • Administration → System → Settings → ERS SettingsEnable ERS.
    • Then from Admin PC: curl -k -u ers_admin:ERSpass https://10.10.10.10:9060/ers/config/adminuser -H "Accept: application/json"
    • Expect JSON (200 OK) if ERS is on.

E) Create Admin Groups and bind Roles

Path: Administration → System → Admin Access → Administrators → Admin Groups

Create 5 admin groups and assign our custom roles:

  1. AG-SuperAdminsRole: Built-in Super Admin
  2. AG-PolicyAdminsRole: ISE-PolicyAdmin
  3. AG-HelpdeskRole: ISE-Helpdesk
  4. AG-AuditorsRole: ISE-Auditor
  5. AG-ApproversRole: ISE-Approver

For each Admin Group:

  • Click Add → Name → Assign Role → Under External Groups, click Add and select the AD group that should land here (e.g., ISE-PolicyAdmins).
  • Save.
  • [Screenshot: Admin Group – Role + External Groups mapping]

Validation:

  • In the Admin Group details, ensure the External Groups list shows your AD group(s).
  • [Screenshot: Admin Groups list]

F) Create test admin identities

  • AD Users:
    • paul.policyISE-PolicyAdmins
    • harry.helpISE-Helpdesk
    • amy.auditISE-Auditors
    • apra.approverISE-Approvers
    • sue.superISE-SuperAdmins
  • Internal Break-glass:
    • Administration → System → Admin Access → Administrators → Admin Users → Add
    • admin-local (local password, Role = Super Admin)
    • [Screenshot: Internal Admin User]

Validation:

  • Log out; log in as each persona; confirm menu visibility and edit ability.
  • For each login, capture: [Screenshot: Top menu visibility as PolicyAdmin/Helpdesk/Auditor].

G) Enable Multi-Admin Approval (MAA) & build workflows

Path: Administration → System → Settings → Multi-Admin Approval

  1. Enable MAAOn
    • Require Approval for:
      • Policy Sets (add/edit/delete rules)
      • Policy Elements (e.g., Conditions/Results)
      • Network Devices/NDGs
      • Certificates (optional)
    • Approvals Required: 1 (lab) / 2 (prod)
    • Approver Group(s): AG-Approvers (or AG-SuperAdmins as backup)
    • Request Expiry: e.g., 24h
    • Save.
    • [Screenshot: MAA Settings]
  2. MAA Scope/Granularity:
    • Use the settings panel to include Create/Update/Delete for each resource type you want gated.
    • [Screenshot: MAA Resources/Actions]

Validation:

  • Navigate to Operations → Multi-Admin Approval — ensure the console opens (for Approvers).
  • [Screenshot: MAA Console – Pending/Approved/Rejected]

H) Generate a MAA change request (Requester flow)

Login as: paul.policy (PolicyAdmin)

  1. Edit Authorization Policy:
    • Policy → Policy Sets → → Authorization Policy
    • Add a new rule (e.g., If EndpointGroup == BYOD → PermitLimited).
    • Click Save/Submit → You should see “Submit for Approval” (not immediate commit).
    • [Screenshot: Authorization Policy – Pending Approval badge]
  2. Submit for Approval:
    • Enter a comment: “BYOD limited access rule – change ticket #1234”.
    • [Screenshot: Submit for Approval dialog]

Validation:

  • Operations → Multi-Admin Approval (as paul.policy): The change appears under Pending with status Awaiting Approval.
  • [Screenshot: MAA – Request detail (diff view if available)]

I) Approve the change (Approver flow)

Login as: apra.approver (Approver)

  1. Operations → Multi-Admin ApprovalPending → Select the request.
  2. Review the diff/summary → Click Approve (or Reject with reason).
  3. Once approved, ISE commits the change.
    • [Screenshot: MAA – Approve action]
    • [Screenshot: MAA – Status = Approved/Committed]

Validation:

  • Reopen Authorization Policy as paul.policy — rule is now active (no “Pending” ribbon).
  • [Screenshot: Authorization Policy – Active rule]

J) Audit & Reporting

  1. Operations → Reports → Administrative and Operational Audit
    • Filter by User, Action, MAA.
    • Export to PDF/CSV for evidence.
    • [Screenshot: Audit Report – MAA approval trail]
  2. Versioning (optional):
    • If your ISE version tracks policy revisions, capture version IDs pre/post approval.

K) API Validation (ERS) (optional but recommended)

ERS must be enabled (Administration → System → Settings → ERS Settings).

  • List Roles: curl -k -u ers_admin:ERSpass \ -H "Accept: application/json" \ https://10.10.10.10:9060/ers/config/adminrole
  • List Admin Groups: curl -k -u ers_admin:ERSpass \ -H "Accept: application/json" \ https://10.10.10.10:9060/ers/config/admingroup
  • List Admin Users: curl -k -u ers_admin:ERSpass \ -H "Accept: application/json" \ https://10.10.10.10:9060/ers/config/adminuser

Validation:

  • Confirm your custom roles/groups appear with correct UUIDs and mappings.

Troubleshooting:


IssueSymptom in GUI/CLIRoot CauseFix
Wrong RBAC role assignmentUser logs in but has no menu options or sees “Unauthorized”Admin assigned wrong role or role missing permissionsEdit Admin Access > Roles and assign correct menus
Duplicate username conflictsLogin fails, “invalid credentials” errorSame username exists in ISE local DB and external LDAP/ADRemove duplicate, or enforce identity source sequence
Time sync mismatch (NTP issue)Login works sometimes, fails other times with “authentication failed”ISE node not in sync with AD/LDAPSync NTP across ISE, AD, and devices
Locked accountsAdmin login fails, ISE shows “Account locked”Repeated bad login attempts triggered lockoutUnlock account under Admin > Administrators
GUI login succeeds but RBAC policy not appliedUser sees default full admin menusRBAC role not mapped in “Admin Access Policies”Fix mapping under Administration > System > Admin Access > Admin Access Control
TACACS+ fallback behaviorCLI logins succeed with fallback local admin but not with RBAC rolesDevice not pointing TACACS to ISECheck switch/router AAA config
Multi-admin conflictsChanges not visible across nodesSession stickiness on load balancer or replication delayCheck ISE Deployment > Synchronization Status
SSL/TLS mismatch for AD integrationAdmins can’t log in via AD, ISE logs show TLS errorsUnsupported TLS versionEnable TLS 1.2/1.3 and upload proper certificates

2. CLI Troubleshooting Commands

Run these from ISE CLI:

# Check system logs
show logging application ise-psc.log
show logging application ise-psc-debug.log

# Check admin login attempts
show logging application ise-admin.log | include <username>

# Verify node sync status
show running-config ise
show application status ise

# NTP check
show ntp

# AD/LDAP integration test
test aaa group <groupname> <username> <password>

# Certificate validation
show crypto pki certificates

3. Log Files to Monitor

Log FileLocationPurpose
ise-admin.log/var/log/ise/Tracks all admin logins, failures, lockouts
ise-psc.log/var/log/ise/Policy Service checks, RBAC role mapping
ise-psc-debug.log/var/log/ise/Debug RBAC authorization decisions
system.log/var/log/General system-level events
ntp.log/var/log/NTP sync issues affecting login

4. GUI Troubleshooting Validation

  1. Check active sessions:
    • Navigate to: Operations > Reports > Audit > Admin Access
    • Look for login attempts, roles applied, and errors.
    • [Screenshot: ISE Admin Audit Logs]
  2. Check RBAC Policy Mapping:
    • Navigate to: Administration > System > Admin Access > Admin Access Control
    • Verify username → group → role mapping.
    • [Screenshot: ISE RBAC Mapping Screen]
  3. Check Lockouts:
    • Navigate to: Administration > System > Admin Access > Administrators
    • Check status column.

5. Debugging Example (Field Case)

Scenario: AD admin “netops1” cannot log in.

  • Step 1 – CLI Test: test aaa group AD_GROUP netops1 Cisco123 Output: Authentication failed – no role mapped.
  • Step 2 – Check logs: show logging application ise-admin.log | include netops1 Shows: User authenticated but no authorization policy applied.
  • Step 3 – GUI Check:
    In Admin Access Control, role mapping for AD_GROUP missing.
  • Fix: Add mapping → Assign “Helpdesk Role” → Save → Test login again.

Validation: User logs in with limited Helpdesk menus, not full Super Admin.


6. Validation Workflow (Engineer Checklist)

  • Confirm NTP & clock sync across ISE + AD.
  • Verify admin added in correct Identity Source.
  • Test AAA from CLI.
  • Check logs in ise-admin.log.
  • Verify RBAC mapping in GUI.
  • Perform login test with new admin.
  • Confirm correct menus visible (cross-verify with RBAC role definition).

FAQs – Cisco ISE Multi-Admin & RBAC

FAQ 1: What is the difference between a Super Admin and a System Admin in ISE?

  • Super Admin has unrestricted access to all ISE functions, including system settings, licensing, RBAC, and nodes.
  • System Admin can handle system-level tasks like certificates, deployment, and patching but may not configure all policy-related features.
  • In practice, most production teams use Super Admin sparingly and delegate daily operations with RBAC-defined roles.

FAQ 2: Can we create completely custom roles in ISE?

  • Yes .
  • Navigate: Administration > System > Admin Access > Roles > Add
  • You can define which menus/submenus are visible (e.g., only Reports or only Policy Sets).
  • Validation: Test login with a new admin → only authorized menus should appear.

FAQ 3: How does Multi-Admin approval workflow work?

  • Some sensitive actions (e.g., deleting a node, updating a certificate) can be restricted.
  • One admin requests the change.
  • Another admin approves/rejects it.
  • This prevents insider misuse or accidental misconfiguration.
  • Validation: Try deleting a policy set with workflow enabled → system prompts “Approval required.”

FAQ 4: What happens if two admins edit policies at the same time?

  • ISE has session locks for certain objects.
  • If Admin A is editing a policy, Admin B sees a “Locked by user” warning.
  • If both are editing different sections, changes merge during commit.
  • Validation: Open two browsers with two accounts and attempt edits simultaneously.

FAQ 5: Can RBAC roles be tied to Active Directory groups?

  • Yes .
  • Use Admin Access Policies to map AD group → specific role.
  • Example:
    • AD group Helpdesk → ISE role Helpdesk Operator.
    • AD group NetEng → ISE role Policy Admin.
  • Validation: Add user to AD group → relogin → check menu restrictions.

FAQ 6: What is the fallback if AD/LDAP goes down?

  • ISE falls back to local ISE admin accounts.
  • Always keep at least two local Super Admins as break-glass accounts.
  • Validation: Temporarily disable AD connector and attempt login with local account.

FAQ 7: Can we restrict admins to manage only certain NADs (network devices)?

  • Yes (Granular Device Access Control).
  • In RBAC, you can restrict role permissions to specific device groups.
  • Example: Operator can only manage Branch Switches, not Core Routers.
  • Validation: Assign role → login → try accessing restricted NAD group.

FAQ 8: Where can we monitor which admin did what changes?

  • Navigate: Operations > Reports > Audit > Admin Access.
  • Each action (login, config change, approval) is logged with username, IP, timestamp.
  • CLI check: show logging application ise-admin.log

FAQ 9: What happens if an admin account gets locked?

  • Lockout occurs after repeated failed login attempts.
  • Unlock via GUI: Administration > System > Admin Access > Administrators → Unlock.
  • CLI recovery: Use local CLI super admin to reset account.

FAQ 10: How do we validate that RBAC is working correctly?

  • Create 3 test accounts:
    • test-super → Full Super Admin
    • test-helpdesk → Reports + Endpoint only
    • test-ops → Policy view only, no edits
  • Login with each → Verify menu visibility.
  • Logs:
    • GUI: Admin Access Audit Reports
    • CLI: show logging application ise-psc-debug.log | include <username>
  • If mismatch, check Admin Access Control Policy for missing role mapping.

YouTube Link

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes for hands-on, real-world ISE experience

[NEW COURSE ALERT] CISCO ISE (Identity Service Engine) by Sagar Dhawan
CCIE Security v6.1 Training – Ticket#1 Discussed
CCIE Security v6.1 – MAC Authentication Bypass (MAB) in Cisco ISE
CCNP to CCIE SECURITY v6.1 – New Online Batch

Closing Notes

  • Design personas first, then implement roles to match real duties.
  • Bind AD groups → Admin Groups → Roles for scalable access.
  • Turn on MAA for changes that can impact availability/security.
  • Always validate: Log in as each persona, attempt allowed/denied actions, and capture MAA approvals + Audit reports for evidence.

Upgrade Your Skills – Start Today

“For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes.”

Fast-Track to Cisco ISE Mastery Pro (4-month ILT)

  • 90+ hands-on ISE labs (RBAC, MAA, TrustSec, pxGrid, APIs, SIEM, TACACS+)
  • Troubleshooting Bible (logs, workflows, validation)
  • Enterprise patterns, interview prep, and capstone projects

    Enroll / Course outline: https://course.networkjourney.com/ccie-security/

Enroll Now & Future‑Proof Your Career
Emailinfo@networkjourney.com
WhatsApp / Call: +91 97395 21088