Cisco ISE Part 3: Active directory

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture

This week, part 3: Active Directory

Microsoft Active directory is the mostly used directory. Cisco ISE can get membership in only 1 AD forest in ISE 1.1.x.

Check the following requirements:

  • Correctly configured NTP
  • Firewall ports: tcp: 389, 636, 445, 88, 3268, 3289, 464
  • Firewall ports: udp: 389, 123
  • All firewall ports are needed for the policy nodes
  • NAT is not supported!!

A local identity store is desired as a fallback in the event that the external identity store cannot be contacted. This is optional.

Local Identity

Click Administration – Identity management – Groups and click Add to add a new group. (Bulk import is available)

newidentitygroup

Under Administration – Identity management – identities – users, users can be created and linked to the usergroup.

Microsoft Active Directory

To configure Microsoft Active Directory as a external indentity source:

Click Administration – Identity management – External Identity Sources

Click Active Directory

Enter the domain name and a friendly name (Identity Store Name).
Click Save configuration.
At this point a logon box appears, fill in useraccount with domain join userrights.

AD1

To join the domain, check the domain and click Join.

The requested login does not need admin rights, a user account with domain join rights is required.

ADjoincomplete

A computer account for ISE is created in the AD.

Each policy node needs to join the AD in order to perform AD queries!

Click Administration – Identity management – External Identity Sources
Click Active Directory
In the groups tab, existing AD groups can be added into ISE. Click Add groups from Directory:

domaingroups

Check the correct groups and click OK.

In order for ISE to process authentication requests in the correct sequence (AD first, local after), you have to create a sequence list.

Click: Administration – Identity Management – Identity source sequences. Click Add.

Enter a name for this instance: AD_Then_Local.
Select the sources and put them in the correct order:

ADsequence

Click Policy – Authentication. In the default row, click the plus sign next to internal users.
In the Identity source field, select the created sequence (AD_Then_Local) and click Save.

ADseq2

The connection with AD is now established and can be tested.

Next week part 4 of this blog post series: High Availability