Welcome to the second post in the Cisco ISE series. The first article highlighted the advantages and differences of Network Access Control (NAC) solutions from standard AAA, the uniqueness of Cisco ISE, architecture and product installation process.
In this article, we will delve into creating accounts, adding LDAP servers and integrating with Microsoft Active Directory, as well as the nuances of working with PassiveID. Before reading, I strongly recommend that you read the first part .
1. A bit of terminology
User Identity - , . , , User Identity: , , , , .
User Groups - - , , Cisco ISE.
User Identity Groups - , . User Identity Groups , : Employee (), SponsorAllAccount, SponsorGroupAccounts, SponsorOwnAccounts ( ), Guest (), ActivatedGuest ( ).
User Role - - , , . .
2.
1) Cisco ISE . Administration → Identity Management → Identities → Users → Add.
2) , .
3) . Administration → Identity Management → Identities → Users Import csv txt . , Generate a Template, .
3. LDAP
, LDAP - , , , LDAP , 389 636 (SS). LDAP Active Directory, Sun Directory, Novell eDirectory OpenLDAP. LDAP DN (Distinguished Name) (retrieval) , .
Cisco ISE LDAP , . , (primary) LDAP , ISE (secondary) . , 2 PAN, PAN LDAP, PAN - LDAP.
ISE 2 (lookup) LDAP : User Lookup MAC Address Lookup. User Lookup LDAP : , . MAC Address Lookup MAC LDAP , MAC .
Active Directory Cisco ISE LDAP .
1) Administration → Identity Management → External Identity Sources → LDAP → Add.
2) General LDAP ( Active Directory).
3) Connection Hostname/IP address AD , (389 - LDAP, 636 - SSL LDAP), (Admin DN - DN), .
: .
4) Directory Organization DN, .
5) Groups → Add → Select Groups From Directory LDAP .
6) Retrieve Groups. , . , ISE c LDAP LDAP .
7) Attributes , LDAP , Advanced Settings Enable Password Change, , . Submit .
8) LDAP .
4. Active Directory
1) Microsoft Active Directory LDAP , , , . AD Cisco ISE. Administration → Identity Management → External Identity Sources → Active Directory → Add.
: AD ISE DNS, NTP AD , .
2) Store Credentials. OU (Organizational Unit), ISE - OU. Cisco ISE, .
3) , PSN Administration → System → Deployment Passive Identity Service. PassiveID - , User IP . PassiveID AD WMI, AD SPAN ( ).
: Passive ID ISE show application status ise | include PassiveID.
4) Administration → Identity Management → External Identity Sources → Active Directory → PassiveID Add DCs. OK.
5) DC Edit. FQDN DC, , WMI Agent. WMI OK.
6) WMI Active Directory, ISE . , , login . 2 : . PassiveID Add Agent → Deploy New Agent (DC ). ( , FQDN , / ) OK.
7) Cisco ISE Register Existing Agent. , Work Centers → PassiveID → Providers → Agents → Download Agent.
: PassiveID logoff! - user session aging time 24 . logoff , - , logoff .
logoff "Endpoint probes" - . Endpoint probes Cisco ISE : RADIUS, SNMP Trap, SNMP Query, DHCP, DNS, HTTP, Netflow, NMAP Scan. RADIUS probe CoA (Change of Authorization) ( 802.1X), SNMP, .
, Cisco ISE + AD 802.1X RADIUS: Windows , logoff, WiFi. - , - logoff. , .
8) Administration → Identity Management → External Identity Sources → Active Directory → Groups → Add → Select Groups From Directory AD, ISE ( 3 “ LDAP ”). Retrieve Groups → OK.
9) Work Centers → PassiveID → Overview → Dashboard , , .
10) Live Sessions . AD .
5.
Cisco ISE, LDAP Microsoft Active Directory. .
(Telegram, Facebook, VK, TS Solution Blog, .).