This document describes how to configure a Cisco Identity Services Engine (ISE) for integration with a Cisco Lightweight Directory Access Protocol (LDAP) server.
There are no specific requirements for this document.
The information this document is based on these software and hardware versions:
- Cisco ISE Version 1.3 with patch 2
- Microsoft Windows Version 7 x64 with OpenLDAP installed
- Cisco Wireless LAN Controller (WLC) Version 126.96.36.199
- Cisco AnyConnect Version 3.1 for Microsoft Windows
- Cisco Network Access Manager Profile Editor
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
These authentication methods are supported with LDAP:
- Extensible Authentication Protocol âÂÂ Generic Token Card (EAP-GTC)
- Extensible Authentication Protocol âÂÂ Transport Layer Security (EAP-TLS)
- Protected Extensible Authentication Protocol âÂÂ Transport Layer Security (PEAP-TLS)
This section describes how to configure the network devices and integrate the ISE with an LDAP server.
In this configuration example, the endpoint uses a wireless adapter in order to associate with the wireless network. The Wireless LAN (WLAN) on the WLC is configured in order to authenticate the users via the ISE. On the ISE, LDAP is configured as an external identity store.
This image illustrates the network topology that is used:
Installation of the OpenLDAP for Microsoft Windows is completed via the GUI, and it is straightforward. The default location is C: > OpenLDAP. After installation, you should see this directory:
Take note of two directories in particular:
- ClientTools âÂÂ This directory includes a set of binaries that are used in order to edit the LDAP database.
- ldifdata âÂÂ This is the location in which you should store the files with LDAP objects.
Add this structure to the LDAP database:
Under the Root directory, you must configure two Organizational Units (OUs). The OU=groups OU should have one child group (cn=domainusers in this example). The OU=people OU defines the two user accounts that belong to the cn=domainusers group.
In order to populate the database, you must create the ldif file first. The previously mentioned structure was created from this file:
description: All groups in organisation
description: All people in organisation
cn: John Doe
cn: Jan Kowalski
In order to add the objects to the LDAP database, you can use the ldapmodify binary:
C:\OpenLDAP\ClientTools>ldapmodify.exe -a -x -h localhost -p 389 -D "cn=Manager,
dc=maxcrc,dc=com" -w secret -f C:\OpenLDAP\ldifdata\test.ldif
ldap_connect_to_host: TCP localhost:389
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 496 tm: -1 async: 0
attempting to connect:
adding new entry "ou=groups,dc=maxcrc,dc=com"
adding new entry "ou=people,dc=maxcrc,dc=com"
adding new entry "uid=john.doe,ou=people,dc=maxcrc,dc=com"
adding new entry "uid=jan.kowalski,ou=people,dc=maxcrc,dc=com"
adding new entry "cn=domainusers,ou=groups,dc=maxcrc,dc=com"
Integrate OpenLDAP with the ISE
Use the information that is provided in the images throughout this section in order to configure LDAP as an external identity store on the ISE.
You can configure these attributes from the General tab:
- Subject Objectclass âÂÂ This field corresponds to the object class of the user accounts in the ldif file. As per the LDAP configuration, you can use one of four classes here:
- Subject Name Attribute âÂÂ This is the attribute that is retrieved by the LDAP when the ISE inquires whether a specific user name is included in a database. In this scenario, you must use john.doe or jan.kowalski as the user name on the endpoint.
- Group Objectclass âÂÂ This field corresponds to the object class for a group in the ldif file. In this scenario, the object class for the cn=domainusers group is posixGroup.
- Group Map Attribute âÂÂ This attribute defines how the users are mapped to the groups. Under the cn=domainusers group in the ldif file, you can see two memberUid attributes that correspond to the users.
The ISE also offers some pre-configured schemas (Microsoft Active Directory, Sun, Novell):
After you set the correct IP address and administrative domain name, you can Test Bind to the server. At this point, you should not retrieve any subjects or groups because the search bases are not yet configured.
In the next tab, you can configure the Subject/Group Search Base. This is the join point for the ISE to the LDAP. You are able to retrieve only subjects and groups that are children of your joining point. In this scenario, the subjects from the OU=people and the groups from the OU=groups are retrieved:
From the Groups tab, you can import the groups from the LDAP on the ISE:
Configure the WLC
Use the information that is provided in these images in order to configure the WLC for 802.1x authentication:
One of the supported authentication methods for LDAP is EAP-GTC. It is available in Cisco AnyConnect, but you must install the Network Access Manager Profile Editor in order to configure the profile correctly. You must also edit the Network Access Manager configuration, which by default is located here:
C: > ProgramData > Cisco > Cisco AnyConnect Secure Mobility Client > Network Access Manager > system > configuration.xml file
Use the information that is provided in these images in order to configure the EAP-GTC on the endpoint:
Use the information that is provided in these images in order to change the authentication and authorization policies on the ISE:
After you apply the configuration, you should be able to connect to the network:
In order to verify the LDAP and ISE configurations, you should be able to retrieve the subjects and groups with a test connection to the server:
These images illustrate a sample report from the ISE:
This section describes some common errors that are encountered with this configuration and how to troubleshoot them: