Cisco ISE and Active Directory Integration
Jonas Resende
Network and Security Specialist || Cisco ISE || Umbrella-SIG || Cisco SD-WAN and Meraki || Cisco Designated VIP 2024
Cisco ISE + Active Directory
The integration between these tools is one of the most important steps for ISE functionality. It does not mean that without ISE and AD integration, Cisco ISE will not work. You could use using only the internal users' database, but this is not scalable. Usually, in a network environment, there is some type of user access control, in this case, we are working with Microsoft AD.
When both tools are integrated, the network administration and the network access control can be easily managed by the network's administrators. It makes it possible to use the same user credential to login into the workstation, authenticate the user into the wired or wireless corporative network, and also access the network devices by SSH or telnet session.
Beyond the connectivity in the internal network, it also brings the possibility for the user to use its credentials to login into the client VPN. If you keep listing, you will figure out a variety of resources integrating these tools. We will keep focused on network administration and network access.
To start the integration go to Administration > Identity Management > External Identity Source > Activity Directory and press Add.
Insert information of the AD, as per below.
Join Point Name, is like a description, does not exist a rule for this. Different than Active Diretory Domain, that has the need to include the Domain Name. I usually to use the same for both. Press Submit.
After this will pop up a message Would you like to Join all ISE Nodes to this Active Directory Domain? Click Yes.
After this, will appear a window to fill up an AD Username and Password. This user does not need to be an user with administrative privileges. In our case, will be used administrator that is the only account created until now.
After this will appear a window as Integrating and you will get the window below. Click on close and will see the standalone ISE integrated with the domain.
After this phase is completed, it is need to add the Groups that will be part of this integration.
领英推荐
Click in Groups tab > Add > select the option Select the Groups From Directory > click on Retrieve Groups to find it out all the groups from AD, and let's add the group named as Domain Users, then press ok.
Note: The user Administrator is part of this group.
After this, the integration with Active Diretory is completed.
If you want to validate, it is possible to perform Test User and Diagnostic Tool, in the Connection Tab.
Click on Test User and insert the username and password. Below is the results.
It is possible to see that the authentication result is SUCCESS. Rollout the scrollbar to check other parameters regarding the user administrator. Also Navigate in the tabs, Group and Attributes to check further information for this user.
You can also perform tests over Diagnostic Tools. This tool show you how is the integration between ISE and AD.
You will see all the tests as running and if everything is working fine, that is our case, the status will show as Successful.
That way, we finish the integration of ISE and Active Directory.
I hope you enjoyed this read!
New contents coming soon.
Jonas Resende
IT Infrastructure | Network Services | Managed Services | Technology
2 年??????