Administrative Access to Cisco ISE Using an External Identity Store
In Cisco ISE, you can authenticate administrators via an external identity store such as Active Directory, LDAP, or RSA SecureID. There are two models you can use to provide authentication via an external identity store:
-
External Authentication and Authorization: There are no credentials that are specified in the local Cisco ISE database for the administrator, and authorization is based on external identity store group membership only. This model is used for Active Directory and LDAP authentication.
-
External Authentication and Internal Authorization: The administrator’s authentication credentials come from the external identity source, and authorization and administrator role assignment take place using the local Cisco ISE database. This model is used for RSA SecurID authentication. This method requires you to configure the same username in both the external identity store and the local Cisco ISE database.
During the authentication process, Cisco ISE is designed to “fall back” and attempt to perform authentication from the internal identity database, if communication with the external identity store has not been established or if it fails. In addition, whenever an administrator for whom you have set up external authentication launches a browser and initiates a login session, the administrator still has the option to request authentication via the Cisco ISE local database by choosing Internal from the Identity Store drop-down list in the login dialog box.
Administrators who belong to a Super Admin group, and are configured to authenticate and authorize using an external identity store, can also authenticate with the external identity store for Command Line Interface (CLI) access.
Note |
You can configure this method of providing external administrator authentication only via the Admin portal. Cisco ISE CLI does not feature these functions. |
If your network does not already have one or more existing external identity stores, ensure that you have installed the necessary external identity stores and configured Cisco ISE to access those identity stores.
External Authentication and Authorization
By default, Cisco ISE provides internal administrator authentication. To set up external authentication, you must create a password policy for the external administrator accounts that you define in the external identity stores. You can then apply this policy to the external administrator groups that eventually become a part of the external administrator RBAC policy.
To configure external authentication, you must:
-
Configure password-based authentication using an external identity store.
-
Create an external administrator group.
-
Configure menu access and data access permissions for the external administrator group.
-
Create an RBAC policy for external administrator authentication.
In addition to providing authentication via an external identity store, your network may also require you to use a Common Access Card (CAC) authentication device.
Configure a Password-Based Authentication Using an External Identity Store
You must first configure password-based authentication for administrators who authenticate using an external identity store such as Active Directory or LDAP.
Procedure
Step 1 |
In the Cisco ISE GUI, click the Menu icon () and choose . |
Step 2 |
On the Authentication Method tab, click Password Based and choose one of the external identity sources you have already configured. For example, the Active Directory instance that you have created. |
Step 3 |
Configure any other specific password policy settings that you want for administrators who authenticate using an external identity store. |
Step 4 |
Click Save. |
Create an External Administrator Group
You will need to create an external Active Directory or LDAP administrator group. This ensures that Cisco ISE uses the username that is defined in the external Active Directory or LDAP identity store to validate the administrator username and password that you entered upon login.
Cisco ISE imports the Active Directory or LDAP group information from the external resource and stores it as a dictionary attribute. You can then specify that attribute as one of the policy elements while configuring the RBAC policy for this external administrator authentication method.
Procedure
Step 1 |
In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Admin Access > Administrators > Admin Groups. The External Groups Mapped column displays the number of external groups that are mapped to internal RBAC roles. You can click the number corresponding to a admin role to view the external groups (for example, if you click 2 displayed against Super Admin, the names of two external groups are displayed). |
Step 2 |
Click Add. |
Step 3 |
Enter a name and optional description. |
Step 4 |
Click External. If you have connected and joined to an Active Directory domain, your Active Directory instance name appears in the Name field. |
Step 5 |
From the External Groups drop-down list box, choose the Active Directory group that you want to map for this external administrator group. Click the “+” sign to map additional Active Directory groups to this external administrator group. |
Step 6 |
Click Save. |
Create an Internal Read-Only Admin
Procedure
Step 1 |
In the Cisco ISE GUI, click the Menu icon () and choose . |
Step 2 |
Click Add and select Create An Admin User. |
Step 3 |
Check the Read Only check box to create a Read-Only administrator. |
Map External Groups to the Read-Only Admin Group
Procedure
Step 1 |
In the Cisco ISE GUI, click the Menu icon () and choose Administration > Identity Management > External Identity Sources to configure the external authentication source. |
Step 2 |
Click the required external identity source, such as Active Directory or LDAP, and then retrieve the groups from the selected identity source. |
Step 3 |
Choose Administration > System > Admin Access > Authentication to map the authentication method for the admin access with the identity source. |
Step 4 |
Choose Administration > System > Admin Access > Administrators > Admin Groups and select Read Only Admin group. |
Step 5 |
Check the External check box and select the required external groups for whom you intend to provide read-only privileges. |
Step 6 |
Click Save. |
Configure Menu Access and Data Access Permissions for External Administrator Group
You must configure menu access and data access permissions that can be assigned to the external administrator group.
Procedure
Step 1 |
In the Cisco ISE GUI, click the Menu icon () and choose . |
Step 2 |
Click one of the following:
|
Step 3 |
Specify menu access or data access permissions for the external administrator group. |
Step 4 |
Click Save. |
Create an RBAC Policy for External Administrator Authentication
You must configure a new RBAC policy to authenticate an administrator using an external identity store and to specify custom menu and data access permissions. This policy must have the external administrator group for authentication and the Cisco ISE menu and data access permissions to manage the external authentication and authorization.
Note |
You cannot modify an existing (system-preset) RBAC policy to specify these new external attributes. If you have an existing policy that you would like to use as a template, you must duplicate that policy, rename it, and then assign the new attributes. |
Procedure
Step 1 |
In the Cisco ISE GUI, click the Menu icon () and choose . |
Step 2 |
Specify the rule name, external administrator group, and permissions. Remember that the appropriate external administrator group must be assigned to the correct administrator user IDs. Ensure that the administrator is associated with the correct external administrator group. |
Step 3 |
Click Save. If you log in as an administrator, and the Cisco ISE RBAC policy is not able to authenticate your administrator identity, Cisco ISE displays an “unauthenticated” message, and you cannot access the Admin portal. |
Configure Admin Access Using an External Identity Store for Authentication with Internal Authorization
This method requires you to configure the same username in both the external identity store and the local Cisco ISE database. When you configure Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from external authentication and authorization:
-
You do not need to specify any particular external administrator groups for the administrator.
-
You must configure the same username in both the external identity store and the local Cisco ISE database.
Procedure
Step 1 |
In the Cisco ISE GUI, click the Menu icon () and choose . |
||
Step 2 |
Ensure that the administrator username in the external RSA identity store is also present in Cisco ISE. Ensure that you click the External option under Password.
|
||
Step 3 |
Click Save. |
External Authentication Process Flow
When the administrator logs in, the login session passes through the following steps in the process:
-
The administrator sends an RSA SecurID challenge.
-
RSA SecurID returns a challenge response.
-
The administrator enters a user name and the RSA SecurID challenge response in the Cisco ISE login dialog, as if entering the user ID and password.
-
The administrator ensures that the specified Identity Store is the external RSA SecurID resource.
-
The administrator clicks Login.
Upon logging in, the administrator sees only the menu and data access items that are specified in the RBAC policy.