Cisco ISE Part 3: Active directory
This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 3: Active Directory
Microsoft Active directory is the mostly used directory. Cisco ISE can get membership in only 1 AD forest in ISE 1.1.x.
Check the following requirements:
- Correctly configured NTP
- Firewall ports: tcp: 389, 636, 445, 88, 3268, 3289, 464
- Firewall ports: udp: 389, 123
- All firewall ports are needed for the policy nodes
- NAT is not supported!!
A local identity store is desired as a fallback in the event that the external identity store cannot be contacted. This is optional.
Local Identity
Click Administration – Identity management – Groups and click Add to add a new group. (Bulk import is available)
Under Administration – Identity management – identities – users, users can be created and linked to the usergroup.
Microsoft Active Directory
To configure Microsoft Active Directory as a external indentity source:
Click Administration – Identity management – External Identity Sources
Click Active Directory
Enter the domain name and a friendly name (Identity Store Name).
Click Save configuration.
At this point a logon box appears, fill in useraccount with domain join userrights.
To join the domain, check the domain and click Join.
The requested login does not need admin rights, a user account with domain join rights is required.
A computer account for ISE is created in the AD.
Each policy node needs to join the AD in order to perform AD queries!
Click Administration – Identity management – External Identity Sources
Click Active Directory
In the groups tab, existing AD groups can be added into ISE. Click Add groups from Directory:
Check the correct groups and click OK.
In order for ISE to process authentication requests in the correct sequence (AD first, local after), you have to create a sequence list.
Click: Administration – Identity Management – Identity source sequences. Click Add.
Enter a name for this instance: AD_Then_Local.
Select the sources and put them in the correct order:
Click Policy – Authentication. In the default row, click the plus sign next to internal users.
In the Identity source field, select the created sequence (AD_Then_Local) and click Save.
The connection with AD is now established and can be tested.
Next week part 4 of this blog post series: High Availability
Why does the ISE appliance have to leave and join the domain after each reboot of the appliance ? What happens when you don’t do this ? And how are you going to minimize the risk of this action not being performed?
It’s a feature (bug?) of version 1.x.. When you don’t leave/join the domain after a reboot, all the AD related authentications will fail.
Interesting post, I’m going to follow your 10 part blog.
I’m new to the ISE appliance and have to see if I can test all functionality on a vm.
Thanks for your comment! You can test and implement almost all features of the ISE appliance on a VM. Only the inline posture node mode is not available when using a VM.
When you join a ISE server to a AD domain , it’s possible to see whitch domain server has answered to à request . When this coma down , is authentication working yet
AD authentication is still possible if there is another domain controller available and the ISE server can still resolve DNS queries.
I have similar question for this,
is authentication posisble even if the other domain controller is not listed in ISE domain list?
If there are multiple servers for the same domain can we make ISE to joina specific AD server?
Ted
The process of joining a domain for ISE is the same as for a normal pc. The domain controllers (with use of dns) will decide which DC you’re using for authentication requests. So, it’s not possible to point ISE to a single DC, the active directory infrastructure will make those decisions for you.
Don’t forget: you can only join 1 active directory domain!
Thanks Rob. Great answer
how do i get an password?