Cisco ISE: Create users, add LDAP servers, integrate with AD. Part 2

Welcome to the second post in the Cisco ISE series. The first article   highlighted the advantages and differences of Network Access Control (NAC) solutions from standard AAA, the uniqueness of Cisco ISE, architecture and product installation process.

In this article, we will delve into creating accounts, adding LDAP servers and integrating with Microsoft Active Directory, as well as the nuances of working with PassiveID. Before reading, I strongly recommend that you read the first part .

1. A bit of terminology

User Identity - , . , , User Identity: , , , , .

User Groups - - , , Cisco ISE.

User Identity Groups - , . User Identity Groups , : Employee (), SponsorAllAccount, SponsorGroupAccounts, SponsorOwnAccounts ( ), Guest (), ActivatedGuest ( ).

User Role - - , , . .

, , ( ). .

2.

1) Cisco ISE . Administration → Identity Management → Identities → Users → Add.

Figure 1. Adding a Local User to Cisco ISE
1. Cisco ISE

2) , .

Figure 2. Creating a Local User in Cisco ISE
2. Cisco ISE

3) . Administration → Identity Management → Identities → Users Import csv txt . , Generate a Template, .

Figure 3. Importing Users into Cisco ISE
3. Cisco ISE

3. LDAP

, LDAP - , , , LDAP , 389 636 (SS). LDAP Active Directory, Sun Directory, Novell eDirectory OpenLDAP. LDAP DN (Distinguished Name) (retrieval) , .

Cisco ISE LDAP , . , (primary) LDAP , ISE (secondary) . , 2 PAN, PAN LDAP, PAN - LDAP.

ISE 2 (lookup) LDAP : User Lookup MAC Address Lookup. User Lookup LDAP : , . MAC Address Lookup MAC LDAP , MAC .

Active Directory Cisco ISE LDAP .

1) Administration → Identity Management → External Identity Sources → LDAP → Add. 

Figure 4. Adding LDAP Server
4. LDAP

2) General LDAP ( Active Directory). 

Figure 5. Adding an LDAP server with an Active Directory schema
5. LDAP Active Directory

3) Connection Hostname/IP address AD , (389 - LDAP, 636 - SSL LDAP), (Admin DN - DN), .

: .

 6.   LDAP
6. LDAP

4) Directory Organization DN, .

 7.  ,
7. ,

5) Groups → Add → Select Groups From Directory LDAP .

 8.    LDAP
8. LDAP

6) Retrieve Groups. , . , ISE c LDAP LDAP .

 9.
9.

7) Attributes , LDAP , Advanced Settings Enable Password Change, , . Submit .

8) LDAP .

 10.   LDAP
10. LDAP

4. Active Directory

1) Microsoft Active Directory LDAP , , , . AD Cisco ISE. Administration → Identity Management → External Identity Sources → Active Directory → Add. 

: AD ISE DNS, NTP AD , .

 11.   Active Directory
11. Active Directory

2) Store Credentials. OU (Organizational Unit), ISE - OU. Cisco ISE, .

 12.
12.

3) , PSN Administration → System → Deployment Passive Identity Service. PassiveID - , User IP . PassiveID AD WMI, AD SPAN ( ).

: Passive ID ISE show application status ise | include PassiveID.

 13.   PassiveID
13. PassiveID

4) Administration → Identity Management → External Identity Sources → Active Directory → PassiveID Add DCs. OK.

 14.
14.

5) DC Edit. FQDN DC, , WMI Agent. WMI OK.

 15.
15.

6) WMI Active Directory, ISE . , , login . 2 : . PassiveID Add Agent → Deploy New Agent (DC ). ( , FQDN , / ) OK.

 16.   ISE
16. ISE

7) Cisco ISE Register Existing Agent. , Work Centers → PassiveID → Providers → Agents → Download Agent.

 17.  ISE
17. ISE

: PassiveID logoff! - user session aging time 24 . logoff , - , logoff . 

logoff "Endpoint probes" - . Endpoint probes Cisco ISE : RADIUS, SNMP Trap, SNMP Query, DHCP, DNS, HTTP, Netflow, NMAP Scan. RADIUS probe CoA (Change of Authorization) ( 802.1X), SNMP, .

, Cisco ISE + AD 802.1X RADIUS: Windows , logoff, WiFi. - , - logoff. , .

8) Administration → Identity Management → External Identity Sources → Active Directory → Groups → Add → Select Groups From Directory AD, ISE ( 3 “ LDAP ”). Retrieve Groups → OK

 18 ).     Active Directory
18 ). Active Directory

9) Work Centers → PassiveID → Overview → Dashboard , , .

 19.
19.

10) Live Sessions . AD .

 20.
20.

5.

Cisco ISE, LDAP Microsoft Active Directory. .

, .

(Telegram, Facebook, VK, TS Solution Blog, .).




All Articles