External Authentication and Authorization
By default, Cisco ISE provides internal administrator authentication. To set up external authentication, you must create a password policy for the external administrator accounts that you define in the external identity stores. You can then apply this policy to the external administrator groups that eventually become a part of the external administrator RBAC policy.
To configure external authentication, you must:
-
Configure password-based authentication using an external identity store.
-
Create an external administrator group.
-
Configure menu access and data access permissions for the external administrator group.
-
Create an RBAC policy for external administrator authentication.
In addition to providing authentication via an external identity store, your network may also require you to use a Common Access Card (CAC) authentication device.
Configure a Password-Based Authentication Using an External Identity Store
You must first configure password-based authentication for administrators who authenticate using an external identity store such as Active Directory or LDAP.
Procedure
Step 1 |
|
Step 2 |
On the Authentication Method tab, click Password Based and choose one of the external identity sources you have already configured. For example, the Active Directory instance that you have created. |
Step 3 |
Configure any other specific password policy settings that you want for administrators who authenticate using an external identity store. |
Step 4 |
Click Save. |
Create an External Administrator Group
You will need to create an external Active Directory or LDAP administrator group. This ensures that Cisco ISE uses the username that is defined in the external Active Directory or LDAP identity store to validate the administrator username and password that you entered upon login.
Cisco ISE imports the Active Directory or LDAP group information from the external resource and stores it as a dictionary attribute. You can then specify that attribute as one of the policy elements while configuring the RBAC policy for this external administrator authentication method.
Procedure
Step 1 |
Choose Administration > System > Admin Access > Administrators > Admin Groups. The External Groups Mapped column displays the number of external groups that are mapped to internal RBAC roles. You can click the number corresponding to a admin role to view the external groups (for example, if you click 2 displayed against Super Admin, the names of two external groups are displayed). |
Step 2 |
Click Add. |
Step 3 |
Enter a name and optional description. |
Step 4 |
Click External. If you have connected and joined to an Active Directory domain, your Active Directory instance name appears in the Name field. |
Step 5 |
From the External Groups drop-down list box, choose the Active Directory group that you want to map for this external administrator group. Click the “+” sign to map additional Active Directory groups to this external administrator group. |
Step 6 |
Click Save. |
Create an Internal Read-Only Admin
Procedure
Step 1 |
Choose . |
Step 2 |
Click Add and select Create An Admin User. |
Step 3 |
Check the Read Only check box to create a Read-Only administrator. |
Map External Groups to the Read-Only Admin Group
Procedure
Step 1 |
Choose Administration > Identity Management > External Identity Sources to configure the external authentication source. |
Step 2 |
Click the required external identity source, such as Active Directory or LDAP, and then retrieve the groups from the selected identity source. |
Step 3 |
Choose Administration > System > Admin Access > Authentication to map the authentication method for the admin access with the identity source. |
Step 4 |
Choose Administration > System > Admin Access > Administrators > Admin Groups and select Read Only Admin group. |
Step 5 |
Check the External check box and select the required external groups for whom you intend to provide read-only privileges. |
Step 6 |
Click Save. |
Configure Menu Access and Data Access Permissions for External Administrator Group
You must configure menu access and data access permissions that can be assigned to the external administrator group.
Procedure
Step 1 |
Choose . |
Step 2 |
Click one of the following:
|
Step 3 |
Specify menu access or data access permissions for the external administrator group. |
Step 4 |
Click Save. |
Create an RBAC Policy for External Administrator Authentication
You must configure a new RBAC policy to authenticate an administrator using an external identity store and to specify custom menu and data access permissions. This policy must have the external administrator group for authentication and the Cisco ISE menu and data access permissions to manage the external authentication and authorization.
Note |
You cannot modify an existing (system-preset) RBAC policy to specify these new external attributes. If you have an existing policy that you would like to use as a template, you must duplicate that policy, rename it, and then assign the new attributes. |
Procedure
Step 1 |
Choose . |
Step 2 |
Specify the rule name, external administrator group, and permissions. Remember that the appropriate external administrator group must be assigned to the correct administrator user IDs. Ensure that the administrator is associated with the correct external administrator group. |
Step 3 |
Click Save. If you log in as an administrator, and the Cisco ISE RBAC policy is not able to authenticate your administrator identity, Cisco ISE displays an “unauthenticated” message, and you cannot access the Admin portal. |