Asset Visibility
Administrative Access to Cisco ISE Using an External Identity Store
In Cisco ISE, you can authenticate administrators via an external identity store such as Active Directory, LDAP, or RSA SecureID. There are two models you can use to provide authentication via an external identity store:
-
External Authentication and Authorization—There are no credentials that are specified in the local Cisco ISE database for the administrator, and authorization is based on external identity store group membership only. This model is used for Active Directory and LDAP authentication.
-
External Authentication and Internal Authorization—The administrator’s authentication credentials come from the external identity source, and authorization and administrator role assignment take place using the local Cisco ISE database. This model is used for RSA SecurID authentication. This method requires you to configure the same username in both the external identity store and the local Cisco ISE database.
During the authentication process, Cisco ISE is designed to “fall back” and attempt to perform authentication from the internal identity database, if communication with the external identity store has not been established or if it fails. In addition, whenever an administrator for whom you have set up external authentication launches a browser and initiates a login session, the administrator still has the option to request authentication via the Cisco ISE local database by choosing “Internal” from the Identity Store drop-down selector in the login dialog.
Administrators who belong to a Super Admin group, and are configured to authenticate and authorize using an external identity store, can also authenticate with the external identity store for CLI access.
Note |
You can configure this method of providing external administrator authentication only via the Admin portal. The Cisco ISE Command Line Interface (CLI) does not feature these functions. |
If your network does not already have one or more existing external identity stores, ensure that you have installed the necessary external identity stores and configured Cisco ISE to access those identity stores.
External Authentication and Authorization
By default, Cisco ISE provides internal administrator authentication. To set up external authentication, you must create a password policy for the external administrator accounts that you define in the external identity stores. You can then apply this policy to the external administrator groups that eventually become a part of the external administrator RBAC policy.
In addition to providing authentication via an external identity store, your network may also require you to use a Common Access Card (CAC) authentication device.
To configure external authentication, you must:
-
Configure password-based authentication using an external identity store.
-
Create an external administrator group.
-
Configure menu access and data access permissions for the external administrator group.
-
Create an RBAC policy for external administrator authentication.
Configure a Password-Based Authentication Using an External Identity Store
You must first configure password-based authentication for administrators who authenticate using an external identity store such as Active Directory or LDAP.
Procedure
Step 1 |
Choose . |
Step 2 |
On the Authentication Method tab, select Password Based and choose one of the external identity sources you should have already configured. For example, the Active Directory instance that you have created. |
Step 3 |
Configure any other specific password policy settings that you want for administrators who authenticate using an external identity store. |
Step 4 |
Click Save. |
Create an External Administrator Group
You will need to create an external Active Directory or LDAP administrator group. This ensures that Cisco ISE uses the username that is defined in the external Active Directory or LDAP identity store to validate the administrator username and password that you entered upon login.
Cisco ISE imports the Active Directory or LDAP group information from the external resource and stores it as a dictionary attribute. You can then specify that attribute as one of the policy elements when it is time to configure the RBAC policy for this external administrator authentication method.
Procedure
Step 1 |
Choose Administration > System > Admin Access > Administrators > Admin Groups. The External Groups Mapped column displays the number of external groups that are mapped to internal RBAC roles. You can click the number corresponding to a admin role to view the external groups (for example, if you click 2 displayed against Super Admin, the names of two external groups are displayed). |
Step 2 |
Click Add. |
Step 3 |
Enter a name and optional description. |
Step 4 |
Choose the External radio button. If you have connected and joined to an Active Directory domain, your Active Directory instance name appears in the Name field. |
Step 5 |
From the External Groups drop-down list box, choose the Active Directory group that you want to map for this external administrator group. Click the “+” sign to map additional Active Directory groups to this external administrator group. |
Step 6 |
Click Save. |
Create an Internal Read-Only Admin
Procedure
Step 1 |
Choose . |
Step 2 |
Click Add and select Create An Admin User. |
Step 3 |
Check the Read Only check box to create a Read-Only administrator. |
Map External Groups to the Read-Only Admin Group
Procedure
Step 1 |
Choose Administration > Identity Management > External Identity Sources to configure the external authentication source. See the Manage Users and External Identity Sources chapter for more information. |
Step 2 |
Click the required external identity source, such as Active Directory or LDAP, and then retrieve the groups from the selected identity source. |
Step 3 |
Choose Administration > System > Admin Access > Authentication to map the authentication method for the admin access with the identity source. |
Step 4 |
Choose Administration > System > Admin Access > Administrators > Admin Groups and select Read Only Admin group. |
Step 5 |
Check the Type External check box and select the required external groups for whom you intend to provide read-only privileges. |
Step 6 |
Click Save. An external group that is mapped to a Read-Only Admin group cannot be assigned to any other admin group.
|
Configure Menu Access and Data Access Permissions for the External Administrator Group
You must configure menu access and data access permissions that can be assigned to the external administrator group.
Procedure
Step 1 |
Choose . |
Step 2 |
Click one of the following:
|
Step 3 |
Specify menu access or data access permissions for the external administrator group. |
Step 4 |
Click Save. |
Create an RBAC Policy for External Administrator Authentication
In order to configure Cisco ISE to authenticate the administrator using an external identity store and to specify custom menu and data access permissions at the same time, you must configure a new RBAC policy. This policy must have the external administrator group for authentication and the Cisco ISE menu and data access permissions to manage the external authentication and authorization.
Note |
You cannot modify an existing (system-preset) RBAC policy to specify these new external attributes. If you have an existing policy that you would like to use as a “template,” be sure to duplicate that policy, rename it, and then assign the new attributes. |
Procedure
Step 1 |
Choose . |
Step 2 |
Specify the rule name, external administrator group, and permissions. Remember that the appropriate external administrator group must be assigned to the correct administrator user IDs. Ensure that the administrator in question is associated with the correct external administrator group. |
Step 3 |
Click Save. If you log in as an administrator, and the Cisco ISE RBAC policy is not able to authenticate your administrator identity, Cisco ISE displays an “unauthenticated” message, and you cannot access the Admin portal. |
Configure Admin Access Using an External Identity Store for Authentication with Internal Authorization
This method requires you to configure the same username in both the external identity store and the local Cisco ISE database. When you configure Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from external authentication and authorization:
-
You do not need to specify any particular external administrator groups for the administrator.
-
You must configure the same username in both the external identity store and the local Cisco ISE database.
Procedure
Step 1 |
Choose . |
||
Step 2 |
Ensure that the administrator username in the external RSA identity store is also present in Cisco ISE. Ensure that you click the External option under Password.
|
||
Step 3 |
Click Save. |
External Authentication Process Flow
When the administrator logs in, the login session passes through the following steps in the process:
-
The administrator sends an RSA SecurID challenge.
-
RSA SecurID returns a challenge response.
-
The administrator enters a user name and the RSA SecurID challenge response in the Cisco ISE login dialog, as if entering the user ID and password.
-
The administrator ensures that the specified Identity Store is the external RSA SecurID resource.
-
The administrator clicks Login.
Upon logging in, the administrator sees only the menu and data access items that are specified in the RBAC policy.
External Identity Sources
These pages enable you to configure and manage external identity sources that contain user data that Cisco ISE uses for authentication and authorization.
LDAP Identity Source Settings
The following table describes the fields on the LDAP Identity Sources page, which you can use to create an LDAP instance and connect to it. The navigation path for this page is:
.LDAP General Settings
The following table describes the fields in the General tab.
Fields |
Usage Guidelines |
||
---|---|---|---|
Name |
Enter a name for the LDAP instance. This value is used in searches to obtain the subject DN and attributes. The value is of type string and the maximum length is 64 characters. |
||
Description |
Enter a description for the LDAP instance. This value is of type string, and has a maximum length of 1024 characters. |
||
Schema |
You can choose any one of the following built-in schema types or create a custom schema:
|
||
|
|||
Subject Objectclass |
Enter a value to be used in searches to obtain the subject DN and attributes. The value is of type string and the maximum length is 256 characters. |
||
Subject Name Attribute |
Enter the name of the attribute containing the username in the request. The value is of type string and the maximum length is 256 characters. |
||
Group Name Attribute |
Enter CN or DN or any supported attribute in the Group Name Attribute field.
|
||
Certificate Attribute |
Enter the attribute that contains the certificate definitions. For certificate-based authentication, these definitions are used to validate certificates that are presented by clients. |
||
Group Objectclass |
Enter a value to be used in searches to specify the objects that are recognized as groups. The value is of type string and the maximum length is 256 characters. |
||
Group Map Attribute |
Specifies the attribute that contains the mapping information. This attribute can be a user or group attribute based on the reference direction that is chosen. |
||
Subject Objects Contain Reference To Groups |
Click this radio button if the subject objects contain an attribute that specifies the group to which they belong. |
||
Group Objects Contain Reference To Subjects |
Click this radio button if the group objects contain an attribute that specifies the subject. This value is the default value. |
||
Subjects in Groups Are Stored in Member Attribute As |
(Only available when you select the Group Objects Contain Reference To Subjects radio button) Specifies how members are sourced in the group member attribute and defaults to the DN. |
||
User Info Attributes |
By default, predefined attributes are used to collect user information (such as, first name, last name, email, telephone, locality, and so on) for the following built-in schema types:
If you edit the attributes of the predefined schema, Cisco ISE automatically creates a Custom schema. You can also select the Custom option from the Schema drop-down list to edit the user information attributes based on your requirements. |
LDAP Connection Settings
The following table describes the fields in the Connection Settings tab.
Fields |
Usage Guidelines |
---|---|
Enable Secondary Server |
Check this option to enable the secondary LDAP server to be used as a backup if the primary LDAP server fails. If you check this check box, you must enter configuration parameters for the secondary LDAP server. |
Primary and Secondary Servers |
|
Hostname/IP |
Enter the IP address or DNS name of the machine that is running the LDAP software. The hostname can contain from 1 to 256 characters or a valid IP address expressed as a string. The only valid characters for hostnames are alphanumeric characters (a to z, A to Z, 0 to 9), the dot (.), and the hyphen (-). |
Port |
Enter the TCP/IP port number on which the LDAP server is listening. Valid values are from 1 to 65,535. The default is 389, as stated in the LDAP specification. If you do not know the port number, you can find this information from the LDAP server administrator. |
Specify server for each ISE node |
Check this check box to configure primary and secondary LDAP server hostnames/IP and their ports for each PSN. When this option is enabled, a table listing all the nodes in the deployment is displayed. You need to select the node and configure the primary and secondary LDAP server hostname/IP and their ports for the selected node. |
Access |
Anonymous Access—Click to ensure that searches on the LDAP directory occur anonymously. The server does not distinguish who the client is and will allow the client read access to any data that is configured as accessible to any unauthenticated client. In the absence of a specific policy permitting authentication information to be sent to a server, a client should use an anonymous connection. Authenticated Access—Click to ensure that searches on the LDAP directory occur with administrative credentials. If so, enter information for the Admin DN and Password fields. |
Admin DN |
Enter the DN of the administrator. The Admin DN is the LDAP account that has permission to search all required users under the User Directory Subtree and to search groups. If the administrator specified does not have permission to see the group name attribute in searches, group mapping fails for users who are authenticated by that LDAP server. |
Password |
Enter the LDAP administrator account password. |
Secure Authentication |
Click to use SSL to encrypt communication between Cisco ISE and the primary LDAP server. Verify that the Port field contains the port number used for SSL on the LDAP server. If you enable this option, you must choose a root CA. |
LDAP Server Root CA |
Choose a trusted root certificate authority from the drop-down list to enable secure authentication with a certificate. |
Server Timeout |
Enter the number of seconds that Cisco ISE waits for a response from the primary LDAP server before determining that the connection or authentication with that server has failed. Valid values are 1 to 99. The default is 10. |
Max. Admin Connections |
Enter the maximum number of concurrent connections (greater than 0) with LDAP administrator account permissions that can run for a specific LDAP configuration. These connections are used to search the directory for users and groups under the User Directory Subtree and the Group Directory Subtree. Valid values are 1 to 99. The default is 20. |
Force reconnect every N seconds |
Check this check box and enter the desired value in the Seconds text box to force the server to renew LDAP connection at the specified time interval. The valid range is from 1 to 60 minutes. |
Test Bind to Server |
Click to test and ensure that the LDAP server details and credentials can successfully bind. If the test fails, edit your LDAP server details and retest. |
Failover |
|
Always Access Primary Server First |
Click this option if you want Cisco ISE to always access the primary LDAP server first for authentications and authorizations. |
Failback to Primary Server After |
If the primary LDAP server that Cisco ISE attempts to contact cannot be reached, Cisco ISE attempts to contact the secondary LDAP server. If you want Cisco ISE to use the primary LDAP server again, click this option and enter a value in the text box. |
LDAP Directory Organization Settings
The following table describes the fields in the Directory Organization tab.
Fields |
Usage Guidelines |
||
---|---|---|---|
Subject Search Base |
Enter the DN for the subtree that contains all subjects. For example: o=corporation.com If the tree containing subjects is the base DN, enter: o=corporation.com or dc=corporation,dc=com as applicable to your LDAP configuration. For more information, refer to your LDAP database documentation. |
||
Group Search Base |
Enter the DN for the subtree that contains all groups. For example: ou=organizational unit, ou=next organizational unit, o=corporation.com If the tree containing groups is the base DN, type: o=corporation.com or dc=corporation,dc=com as applicable to your LDAP configuration. For more information, refer to your LDAP database documentation. |
||
Search for MAC Address in Format |
Enter a MAC Address format for Cisco ISE to use for search in the LDAP database. MAC addresses in internal identity sources are sourced in the format xx-xx-xx-xx-xx-xx. MAC addresses in LDAP databases can be sourced in different formats. However, when Cisco ISE receives a host lookup request, Cisco ISE converts the MAC address from the internal format to the format that is specified in this field. Use the drop-down list to enable searching for MAC addresses in a specific format, where <format> can be any one of the following:
The format you choose must match the format of the MAC address sourced in the LDAP server. |
||
Strip Start of Subject Name Up To the Last Occurrence of the Separator |
Enter the appropriate text to remove domain prefixes from usernames. If, in the username, Cisco ISE finds the delimiter character that is specified in this field, it strips all characters from the beginning of the username through the delimiter character. If the username contains more than one of the characters that are specified in the <start_string> box, Cisco ISE strips characters through the last occurrence of the delimiter character. For example, if the delimiter character is the backslash (\) and the username is DOMAIN\user1, Cisco ISE submits user1 to an LDAP server.
|
||
Strip End of Subject Name from the First Occurrence of the Separator |
Enter the appropriate text to remove domain suffixes from usernames. If, in the username, Cisco ISE finds the delimiter character that is specified in this field, it strips all characters from the delimiter character through the end of the username. If the username contains more than one of the characters that are specified in this field, Cisco ISE strips characters starting with the first occurrence of the delimiter character. For example, if the delimiter character is @ and the username is user1@domain, then Cisco ISE submits user1 to the LDAP server.
|
LDAP Group Settings
Fields |
Usage Guidelines |
---|---|
Add |
Choose Add > Add Group to add a new group or choose Add > Select Groups From Directory to select the groups from the LDAP directory. If you choose to add a group, enter a name for the new group. If you are selecting from the directory, enter the filter criteria, and click Retrieve Groups. Check the check boxes next to the groups that you want to select and click OK. The groups that you have selected will appear in the Groups page. |
LDAP Attribute Settings
Fields |
Usage Guidelines |
---|---|
Add |
Choose Add > Add Attribute to add a new attribute or choose Add > Select Attributes From Directory to select attributes from the LDAP server. If you choose to add an attribute, enter a name for the new attribute. If you are selecting from the directory, enter the username and click Retrieve Attributes to retrieve the user’s attributes. Check the check boxes next to the attributes that you want to select, and then click OK. |
LDAP Advanced Settings
The following table describes the field in the Advanced Settings tab.
Fields |
Usage Guidelines |
---|---|
Enable Password Change |
Check this check box to enable the user to change the password in case of password expiry or password reset while using PAP protocol for device admin and RADIUS EAP-GTC protocol for network access. User authentication fails for the unsupported protocols. This option also enables the user to change the password on their next login. |
RADIUS Token Identity Sources Settings
Fields | Usage Guidelines |
---|---|
Name |
Enter a name for the RADIUS token server. The maximum number of characters allowed is 64. |
Description |
Enter a description for the RADIUS token server. The maximum number of characters is 1024. |
SafeWord Server |
Check this check box if your RADIUS identity source is a SafeWord server. |
Enable Secondary Server |
Check this check box to enable the secondary RADIUS token server for Cisco ISE to use as a backup in case the primary fails. If you check this check box, you must configure a secondary RADIUS token server. |
Always Access Primary Server First |
Click this radio button if you want Cisco ISE to always access the primary server first. |
Fallback to Primary Server after |
Click this radio button to specify the amount of time in minutes that Cisco ISE can authenticate using the secondary RADIUS token server if the primary server cannot be reached. After this time elapses, Cisco ISE reattempts to authenticate against the primary server. |
Primary Server | |
Host IP |
Enter the IP address of the primary RADIUS token server. This field can take as input a valid IP address that is expressed as a string. Valid characters that are allowed in this field are numbers and dot (.). |
Shared Secret |
Enter the shared secret that is configured on the primary RADIUS token server for this connection. |
Authentication Port |
Enter the port number on which the primary RADIUS token server is listening. |
Server Timeout |
Specify the time in seconds that Cisco ISE should wait for a response from the primary RADIUS token server before it determines that the primary server is down. |
Connection Attempts |
Specify the number of attempts that Cisco ISE should make to reconnect to the primary server before moving on to the secondary server (if defined) or dropping the request if a secondary server is not defined. |
Secondary Server | |
Host IP |
Enter the IP address of the secondary RADIUS token server. This field can take as input a valid IP address that is expressed as a string. Valid characters that are allowed in this field are numbers and dot (.). |
Shared Secret |
Enter the shared secret configured on the secondary RADIUS token server for this connection. |
Authentication Port |
Enter the port number on which the secondary RADIUS token server is listening. Valid values are from 1 to 65,535. The default is 1812. |
Server Timeout |
Specify the time in seconds that Cisco ISE should wait for a response from the secondary RADIUS token server before it determines that the secondary server is down. |
Connection Attempts |
Specify the number of attempts that Cisco ISE should make to reconnect to the secondary server before dropping the request. |
RSA SecurID Identity Source Settings
RSA Prompt Settings
The following table describes the fields in the RSA Prompts tab.
Fields |
Usage Guidelines |
---|---|
Enter Passcode Prompt |
Enter a text string to obtain the passcode. |
Enter Next Token Code |
Enter a text string to request the next token. |
Choose PIN Type |
Enter a text string to request the PIN type. |
Accept System PIN |
Enter a text string to accept the system-generated PIN. |
Enter Alphanumeric PIN |
Enter a text string to request an alphanumeric PIN. |
Enter Numeric PIN |
Enter a text string to request a numeric PIN. |
Re-enter PIN |
Enter a text string to request the user to re-enter the PIN. |
RSA Message Settings
The following table describes the fields in the RSA Messages tab.
Fields |
Usage Guidelines |
---|---|
Display System PIN Message |
Enter a text string to label the system PIN message. |
Display System PIN Reminder |
Enter a text string to inform the user to remember the new PIN. |
Must Enter Numeric Error |
Enter a message that instructs users to enter only numbers for the PIN. |
Must Enter Alpha Error |
Enter a message that instructs users to enter only alphanumeric characters for PINs. |
PIN Accepted Message |
Enter a message that the users see when their PIN is accepted by the system. |
PIN Rejected Message |
Enter a message that the users see when the system rejects their PIN. |
User Pins Differ Error |
Enter a message that the users see when they enter an incorrect PIN. |
System PIN Accepted Message |
Enter a message that the users see when the system accepts their PIN. |
Bad Password Length Error |
Enter a message that the users see when the PIN that they specify does not fall within the range specified in the PIN length policy. |
Cisco ISE Users
In this chapter, the term user refers to employees and contractors who access the network regularly as well as sponsor and guest users. A sponsor user is an employee or contractor of the organization who creates and manages guest-user accounts through the sponsor portal. A guest user is an external visitor who needs access to the organization’s network resources for a limited period of time.
You must create an account for any user to gain access to resources and services on the Cisco ISE network. Employees, contractors, and sponsor users are created from the Admin portal.
User Identity
User identity is like a container that holds information about a user and forms their network access credentials. Each user’s identity is defined by data and includes: a username, e-mail address, password, account description, associated administrative group, user group, and role.
User Groups
User groups are a collection of individual users who share a common set of privileges that allow them to access a specific set of Cisco ISE services and functions.
User Identity Groups
A user’s group identity is composed of elements that identify and describe a specific group of users that belong to the same group. A group name is a description of the functional role that the members of this group have. A group is a listing of the users that belong to this group.
Default User Identity Groups
Cisco ISE comes with the following predefined user identity groups:
-
Employee—Employees of your organization belong to this group.
-
SponsorAllAccount—Sponsor users who can suspend or reinstate all guest accounts in the Cisco ISE network.
-
SponsorGroupAccounts—Sponsor users who can suspend guest accounts created by sponsor users from the same sponsor user group.
-
SponsorOwnAccounts—Sponsor users who can only suspend the guest accounts that they have created.
-
Guest—A visitor who needs temporary access to resources in the network.
-
ActivatedGuest—A guest user whose account is enabled and active.
User Role
A user role is a set of permissions that determine what tasks a user can perform and what services they can access on the Cisco ISE network. A user role is associated with a user group. For example, a network access user.
User Account Custom Attributes
Cisco ISE allows you to restrict network access based on user attributes for both network access users and administrators. Cisco ISE comes with a set of predefined user attributes and also allows you to create custom attributes. Both types of attributes can be used in conditions that define the authentication policy. You can also define a password policy for user accounts so that passwords meet specified criteria.
Custom User Attributes
You can configure more user-account attributes on the User Custom Attributes page (Administration > Identity Management > Settings > User Custom Attributes). You can also view the list of predefined user attributes on this page. You cannot edit the predefined user attributes.
Enter the required details in the User Custom Attributes pane to add a new custom attribute. The custom attributes and the default values that you add on the User Custom Attributes page are displayed while adding or editing a Network Access user (Administration > Identity Management > Identities > Users > Add/Edit) or Admin user (Administration > System > Admin Access > Administrators > Admin Users > Add/Edit). You can change the default values while adding or editing a Network Access or Admin user.
You can select the following data types for the custom attributes on the User Custom Attributes page:
-
String—You can specify the maximum string length (maximum allowed length for a string attribute value).
-
Integer—You can configure the minimum and maximum value (specifies the lowest and the highest acceptable integer value).
-
Enum—You can specify the following values for each parameter:
-
Internal value
-
Display value
You can also specify the default parameter. The values that you add in the Display field are displayed while adding or editing a Network Access or Admin user.
-
-
Float
-
Password—You can specify the maximum string length.
-
Long—You can configure the minimum and maximum value.
-
IP—You can specify a default IPv4 or IPv6 address.
-
Boolean—You can set either True or False as the default value.
-
Date—You can select a date from the calendar and set it as the default value. The date is displayed in yyyy-mm-dd format.
Check the Mandatory check box if you want to make an attribute mandatory while adding or editing a Network Access or Admin user. You can also set default values for the custom attributes.
The custom attributes can be used in the authentication policies. The data type and the allowable range that you set for the custom attributes are applied to the custom attribute values in the policy conditions.
Generate Automatic Password for Users and Administrators
Cisco ISE introduces a Generate Password option on the user and administrator creation page to generate instant password adhering to Cisco ISE password policies. This helps the users or administrators to use the password generated by Cisco ISE than spending time in thinking of a safe password to be configured.
-
Users—Administration > Identity Management > Identities > Users.
-
Administrators—Administration > System > Admin Access > Administrators > Admin Users.
-
Logged in Administrator(Current Administrator)—Settings > Account Settings > Change Password.
Internal User Operations
Add Users
Cisco ISE allows you to view, create, modify, duplicate, delete, change the status, import, export, or search for attributes of Cisco ISE users.
If you are using a Cisco ISE internal database, you must create an account for any new user who needs access to resources or services on a Cisco ISE network.
Procedure
Step 1 |
Choose .You can also create users by accessing the page. |
Step 2 |
Click Add (+) to create a new user. |
Step 3 |
Enter values for the fields. Do not include !, %, :, ;, [, {, |, }, ], `, ?, =, <, >, \ and control characters in the username. Username with only spaces
is also not allowed. If you use the Cisco ISE Internal Certificate Authority (CA) for BYOD, the username that you provide here is used as the Common
Name for the endpoint certificate. Cisco ISE Internal CA does not support "+" or "*" characters in the Common Name field.
|
Step 4 |
Click Submit to create a new user in the Cisco ISE internal database. |
Export Cisco ISE User Data
You might have to export user data from the Cisco ISE internal database. Cisco ISE allows you to export user data in the form of a password-protected csv file.
Procedure
Step 1 |
Choose . |
Step 2 |
Check the check box that corresponds to the user(s) whose data you want to export. |
Step 3 |
Click Export Selected. |
Step 4 |
Enter a key for encrypting the password in the Key field. |
Step 5 |
Click Start Export to create a users.csv file. |
Step 6 |
Click OK to export the users.csv file. |
Import Cisco ISE Internal Users
You can import new user data into ISE with a csv file to create new internal accounts. A template csv file is available for download on the pages where you can import user accounts. You can import users on Sponsors can import users on the Sponsor portal. The Sponsor Portal Guide tells Sponsors how to import guest accounts. See the Configure Account Content for Sponsor Account Creation section in Cisco ISE Admin Guide: Guest and BYOD for information about configuring the information types that the sponsor guest accounts use.
.Note |
If the csv file contains custom attributes, the data type and the allowable range that you set for the custom attributes will be applied for the custom attribute values during import. |
Procedure
Step 1 |
Choose . |
Step 2 |
Click Import to import users from a comma-delimited text file. If you do not have a comma-delimited text file, click Generate a Template to create a csv file with the heading rows filled in. |
Step 3 |
In the File text box, enter the filename containing the users to import, or click Browse and navigate to the location where the file resides. |
Step 4 |
Check the Create new user(s) and update existing user(s) with new data check boxes if you want to both create new users and update existing users. |
Step 5 |
Click Save to save your changes to the Cisco ISE internal database. |
Note |
We recommend that you do not delete all the network access users at a time, because this may lead to CPU spike and the services to crash, especially if you are using a very large database. |
Endpoint Settings
The following table describes the fields on the Endpoints page, which you can use to create endpoints and assign policies for endpoints. The navigation path for this page is:
.
Fields |
Usage Guidelines |
---|---|
MAC Address |
Enter the MAC address in hexadecimal format to create an endpoint statically. The MAC address is the device identifier for the interface that is connected to the Cisco ISE enabled network |
Static Assignment |
Check this check box when you want to create an endpoint statically in the Endpoints page and the status of static assignment is set to static. You can toggle the status of static assignment of an endpoint from static to dynamic or from dynamic to static. |
Policy Assignment |
(Disabled by default unless the Static Assignment is checked) Choose a matching endpoint policy from the Policy Assignment drop-down list. You can do one of the following:
|
Static Group Assignment |
(Disabled by default unless the Static group Assignment is checked) Check this check box when you want to assign an endpoint to an identity group statically. In you check this check box, the profiling service does not change the endpoint identity group the next time during evaluation of the endpoint policy for these endpoints, which were previously assigned dynamically to other endpoint identity groups. If you uncheck this check box, then the endpoint identity group is dynamic as assigned by the ISE profiler based on policy configuration. If you do not choose the Static Group Assignment option, then the endpoint is automatically assigned to the matching identity group the next time during evaluation of the endpoint policy. |
Identity Group Assignment |
Choose an endpoint identity group to which you want to assign the endpoint. You can assign an endpoint to an identity group when you create an endpoint statically, or when you do not want to use the Create Matching Identity Group option during evaluation of the endpoint policy for an endpoint. Cisco ISE includes the following system created endpoint identity groups:
|
Endpoint Import from LDAP Settings
The following table describes the fields on the Import from LDAP page, which you can use to import endpoints from an LDAP server. The navigation path for this page is:
.
Fields |
Usage Guidelines |
||
---|---|---|---|
Connection Settings |
|||
Host |
Enter the hostname, or the IP address of the LDAP server. |
||
Port |
Enter the port number of the LDAP server. You can use the default port 389 to import from an LDAP server, and the default port 636 to import from an LDAP server over SSL.
|
||
Enable Secure Connection |
Check the Enable Secure Connection check box to import from an LDAP server over SSL. |
||
Root CA Certificate Name |
Click the drop-down arrow to view the trusted CA certificates. The Root CA Certificate Name refers to the trusted CA certificate that is required to connect to an LDAP server. You can add (import), edit, delete, and export trusted CA certificates in Cisco ISE. |
||
Anonymous Bind |
Check the Anonymous Bind check box to enable the anonymous bind. You must enable either the Anonymous Bind check box, or enter the LDAP administrator credentials from the slapd.conf configuration file. |
||
Admin DN |
Enter the distinguished name (DN) configured for the LDAP administrator in the slapd.conf configuration file. Admin DN format example: cn=Admin, dc=cisco.com, dc=com |
||
Password |
Enter the password configured for the LDAP administrator in the slapd.conf configuration file. |
||
Base DN |
Enter the distinguished name of the parent entry. Base DN format example: dc=cisco.com, dc=com. |
||
Query Settings |
|||
MAC Address objectClass |
Enter the query filter, which is used for importing the MAC address. For example, ieee802Device. |
||
MAC Address Attribute Name |
Enter the returned attribute name for import. For example, macAddress. |
||
Profile Attribute Name |
Enter the name of the LDAP attribute. This attribute holds the policy name for each endpoint entry that is defined in the LDAP server. When you configure the Profile Attribute Name field, consider the following:
|
||
Time Out [seconds] |
Enter the time in seconds between 1 and 60 seconds. |
Identity Group Operations
Create a User Identity Group
You must create a user identity group before you can assign a user to it.
Procedure
Step 1 |
Choose .You can also create a user identity group by accessing the page. |
Step 2 |
Enter values in the Name and Description fields. Supported characters for the Name field are space # $ & ‘ ( ) * + - . / @ _ . |
Step 3 |
Click Submit. |
Export User Identity Groups
Cisco ISE allows you to export locally configured user identity groups in the form of a csv file.
Procedure
Step 1 |
Choose Administration > Identity Management > Groups > Identity Groups > User Identity Groups. |
Step 2 |
Check the check box that corresponds to the user identity group that you want to export, and click Export. |
Step 3 |
Click OK. |
Import User Identity Groups
Cisco ISE allows you to import user identity groups in the form of a csv file.
Procedure
Step 1 |
Choose . |
Step 2 |
Click Generate a Template to get a template to use for the import file. |
Step 3 |
Click Import to import network access users from a comma-delimited text file. |
Step 4 |
Check the Overwrite existing data with new data check box if you want to both add a new user identity group and update existing user identity groups. |
Step 5 |
Click Import. |
Step 6 |
Click Save to save your changes to the Cisco ISE database. |
Endpoint Identity Group Settings
The following table describes the fields on the Endpoint Identity Groups page, which you can use to create an endpoint group. The navigation path for this page is: Administration > Identity Management > Groups > Endpoint Identity Groups.
Fields |
Usage Guidelines |
---|---|
Name |
Enter the name of the endpoint identity group that you want to create. |
Description |
Enter a description for the endpoint identity group that you want to create. |
Parent Group |
Choose an endpoint identity group from the Parent Group drop-down list to which you want to associate the newly created endpoint identity group. |
Configure Maximum Concurrent Sessions
For optimal performance, you can limit the number of concurrent user sessions. You can set the limits at the user level or at the group level. Depending upon the maximum user session configurations, the session count is applied to the user.
You can configure the maximum number of concurrent sessions for each user per ISE node. Sessions above this limit are rejected.
Procedure
Step 1 |
Choose Administration > System > Settings > Max Sessions > User. |
Step 2 |
Do one of the following:
|
Step 3 |
Click Save. |
If you configure the maximum sessions to 1, and the WLC the user connects with is not running a supported version of WLC, then users gets an error telling them to disconnect and reconnect again.
Maximum Concurrent Sessions for a Group
You can configure the maximum number of concurrent sessions for the identity groups.
Sometimes all the sessions can be used by a few users in the group. Requests from other users to create a new session are rejected because the number of sessions has already reached the maximum configured value. Cisco ISE allows you to configure a maximum session limit for each user in the group; each user belonging to a specific identity group cannot open sessions more than the session limit, irrespective of the number of sessions other users from the same group have opened. When calculating the session limit for a particular user, the lowest configuration value takes the precedence—whether the global session limit per user, the session limit per identity group that the user belongs to, or the session limit per user in the group.
To configure maximum number of concurrent sessions for an identity group:
Procedure
Step 1 |
Choose Administration > System > Settings > Max Sessions > Group. All the configured identity groups are listed. |
||
Step 2 |
Click the Edit icon next to the group that you want to edit and enter the values for the following:
If you want to set the maximum number of concurrent sessions for a group or maximum concurrent sessions for the users in a group as Unlimited, leave the Max Sessions for Group/Max Sessions for User in Group field blank, click the Tick icon, and then click Save. By default, both these values are set as Unlimited. |
||
Step 3 |
Click Save. |
Configure Counter Time Limit
You can configure the timeout value for concurrent user sessions.
Procedure
Step 1 |
Choose Administration > System > Settings > Max Sessions > Counter Time Limit. |
Step 2 |
Select one of the following options:
|
Step 3 |
Click Save. |
You can reset the session count from the RADIUS Live Logs page. Click the Actions icon displayed on the Identity, Identity Group, or Server column to reset the session count. When you reset a session, the session is deleted from the counter (thereby allowing new sessions). Users will not be disconnected if their sessions are deleted from the counter.
Account Disable Policy
Cisco ISE introduces the account disable policy for users and administrators to achieve parity with Cisco Secure ACS. While authenticating or querying a user or administrator, Cisco ISE checks the global account disable policy settings at Administration > Identity Management > Settings > User Authentication Settings page and authenticates or returns a result based on the configuration.
Cisco ISE verifies the following three policies:
-
Disable user accounts that exceed a specified date (yyyy-mm-dd)—Disables the user account on the specified date. However, the account disable policy settings for an individual network access user configured at Administration > Identity Management > Identities > Users > Account Disable Policy takes precedence over the global settings.
-
Disable user account after n days of account creation or last enable—Disables user accounts after specific number of days of account creation or the last date when the account was active. You can check the user status at Administration > Identity Management > Identities > Users > Status.
-
Disable accounts after n days of inactivity—Disables administrator and user accounts that have not been authenticated for the configured consecutive number of days.
When you migrate from Cisco Secure ACS to Cisco ISE, the account disable policy settings specified for a network access user in Cisco Secure ACS is migrated to Cisco ISE.
Disable Individual User Accounts
Cisco ISE allows you to disable the user account for each individual user if the disable account date exceeds the date specified by the admin user.
Procedure
Step 1 |
Choose Administration > Identity Management > Identities > Users. |
||
Step 2 |
Click Add to create a new user or check the check box next to an existing user and click Edit to edit the existing user details. |
||
Step 3 |
Check the Disable account if the date exceeds check box and select the date. This option allows you to disable the user account when the configured date exceeds at user level. You can configure different expiry dates for different users as required. This option overrules the global configuration for each individual user. The configured date can either be the current system date or a future date.
|
||
Step 4 |
Click Submit to configure the account disable policy for an individual user. |
Disable User Accounts Globally
You can disable user accounts on a certain date, several days after account creation or last access date, and after several days of account inactivity.
Procedure
Step 1 |
Choose Administration > Identity Management > Settings > User Authentication Settings > Account Disable Policy. |
Step 2 |
Perform one of the following actions:
|
Step 3 |
Click Submit to configure the global account disable policy. |
Internal and External Identity Sources
Identity sources are databases that store user information. Cisco ISE uses user information from the identity source to validate user credentials during authentication. User information includes group information and other attributes that are associated with the user. You can add, edit, and delete user information from identity sources.
Cisco ISE supports internal and external identity sources. Youi can use both sources to authenticate sponsor and guest users.
Internal Identity Sources
Cisco ISE has an internal user database whree you can store user information. Users in the internal user database are called internal users. Cisco ISE also has an internal endpoint database that stores information about all the devices and endpoints that connect to it.
External Identity Sources
Cisco ISE allows you to configure the external identity source that contains user information. Cisco ISE connects to an external identity source to obtain user information for authentication. External identity sources also include certificate information for the Cisco ISE server and certificate authentication profiles. Cisco ISE uses authentication protocols to communicate with external identity sources. The following table lists authentication protocols and the external identity sources that they support.
Note the following points while configuring policies for internal users:
-
Configure an authentication policy to authenticate internal users against an internal identity store.
-
Configure an authorization policy for internal user groups by selecting the following option:
Identitygroup.Name EQUALS User Identity Groups: Group_Name
Protocol (Authentication Type) |
Internal Database |
Active Directory |
LDAP |
RADIUS Token Server or RSA |
||
---|---|---|---|---|---|---|
EAP-GTC, PAP (plain text password) |
Yes |
Yes |
Yes |
Yes |
||
MS-CHAP password hash: MSCHAPv1/v2 EAP-MSCHAPv2 (as inner method of PEAP, EAP-FAST, or EAP-TTLS) LEAP |
Yes |
Yes |
No |
No |
||
EAP-MD5 CHAP |
Yes |
No |
No |
No |
||
EAP-TLS PEAP-TLS (certificate retrieval)
|
No |
Yes |
Yes |
No |
Credentials are stored differently, depending on the external data source connection type, and the features used.
-
When joining an Active Directory Domain (but not for Passive ID), the credentials that are used to join are not saved. Cisco ISE creates an AD computer account, if it does not exist, and uses that account to authenticate users.
-
For LDAP and Passive ID, the credentials that are used to connect to the external data source are also used to authenticate users.
Create an External Identity Source
Cisco ISE can connect with external identity sources such as Active Directory, LDAP, RADIUS Token, and RSA SecurID servers to obtain user information for authentication and authorization. External identity sources also include certificate authentication profiles that you need for certificate-based authentications.
Note |
To work with passive identity services, which enable you to receive and share authenticated user identities, see the "Additional Passive Identity Service Providers" section in Cisco ISE Admin Guide: Asset Visibility. |
Procedure
Step 1 |
Choose . |
Step 2 |
Choose one of these options:
|
Authenticate Internal User Against External Identity Store Password
Cisco ISE allows you to authenticate internal users against external identity store passwords. Cisco ISE provides an option to select the password identity store for internal users from the Administration > Identity Management > Identities > Users page. Administrators can select the identity store from the list of Cisco ISE External Identity Sources while adding or editing users in the Users page. The default password identity store for an internal user is the internal identity store. Cisco Secure ACS users will retain the same password identity store during and after migration from Cisco Secure ACS to Cisco ISE.
Cisco ISE supports the following external identity stores for password types:
-
Active Directory
-
LDAP
-
ODBC
-
RADIUS Token server
-
RSA SecurID server
Certificate Authentication Profiles
For each profile, you must specify the certificate field that should be used as the principal username and whether you want a binary comparison of the certificates.
Add a Certificate Authentication Profile
You must create a certificate authentication profile if you want to use the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) certificate-based authentication method. Instead of authenticating via the traditional username and password method, Cisco ISE compares a certificate received from a client with one in the server to verify the authenticity of a user.
Before you begin
You must be a Super Admin or System Admin.
Procedure
Step 1 |
Choose > . |
Step 2 |
Enter the name and an optional description for the certificate authentication profile. |
Step 3 |
Select an identity store from the drop-down list. Basic certificate checking does not require an identity source. If you want binary comparison checking for the certificates, you must select an identity source. If you select Active Directory as an identity source, subject and common name and subject alternative name (all values) can be used to look up a user. |
Step 4 |
Select the use of identity from Certificate Attribute or Any Subject or Alternative Name Attributes in the Certificate. This will be used in logs and for lookups. If you choose Any Subject or Alternative Name Attributes in the Certificate, Active Directory UPN will be used as the username for logs and all subject names and alternative names in a certificate will be tried to look up a user. This option is available only if you choose Active Directory as the identity source. |
Step 5 |
Choose when you want to Match Client Certificate Against Certificate In Identity Store. For this you must select an identity source (LDAP or Active Directory.) If you select Active Directory, you can choose to match certificates only to resolve identity ambiguity.
|
Step 6 |
Click Submit to add the certificate authentication profile or save the changes. |
Active Directory as an External Identity Source
Cisco ISE uses Microsoft Active Directory as an external identity source to access resources such as users, machines, groups, and attributes. User and machine authentication in Active Directory allows network access only to users and devices that are listed in Active Directory.
ISE
Community Resource
ISE Administrative Portal Access with AD Credentials Configuration Example |
Active Directory Supported Authentication Protocols and Features
Active Directory supports features such as user and machine authentications, changing Active Directory user passwords with some protocols. The following table lists the authentication protocols and the respective features that are supported by Active Directory.
Authentication Protocols |
Features |
---|---|
EAP-FAST and password based Protected Extensible Authentication Protocol (PEAP) |
User and machine authentication with the ability to change passwords using EAP-FAST and PEAP with an inner method of MS-CHAPv2 and EAP-GTC |
Password Authentication Protocol (PAP) |
User and machine authentication |
Microsoft Challenge Handshake Authentication Protocol Version 1 (MS-CHAPv1) |
User and machine authentication |
Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAPv2) |
User and machine authentication |
Extensible Authentication Protocol-Generic Token Card (EAP-GTC) |
User and machine authentication |
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) |
|
Extensible Authentication Protocol- Flexible Authentication via Secure Tunneling-Transport Layer Security (EAP-FAST-TLS) |
|
Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS) |
|
Lightweight Extensible Authentication Protocol (LEAP) |
User authentication |
Active Directory Attribute and Group Retrieval for Use in Authorization Policies
Cisco ISE retrieves user or machine attributes and groups from Active Directory for use in authorization policy rules. These attributes can be used in Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of authentication.
Cisco ISE may use groups in external identity stores to assign permissions to users or computers; for example, to map users to sponsor groups. You should note the following restrictions on group memberships in Active Directory:
-
Policy rule conditions may reference any of the following: a user’s or computer’s primary group, the groups of which a user or computer is a direct member, or indirect (nested) groups.
-
Domain local groups outside a user’s or computer’s account domain are not supported.
Note |
You can use the value of the Active Directory attribute, msRadiusFramedIPAddress, as an IP address. This IP address can be sent to a network access server (NAS) in an authorization profile. The msRADIUSFramedIPAddress attribute supports only IPv4 addresses. Upon user authentication, the msRadiusFramedIPAddress attribute value fetched for the user will be converted to IP address format. |
Attributes and groups are retrieved and managed per join point. They are used in authorization policy (by selecting first the join point and then the attribute). You cannot define attributes or groups per scope for authorization, but you can use scopes for authentication policy. When you use a scope in authentication policy, it is possible that a user is authenticated via one join point, but attributes and/or groups are retrieved via another join point that has a trust path to the user's account domain. You can use authentication domains to ensure that no two join points in one scope have any overlap in authentication domains.
Note |
During the authorization process in a multi join point configuration, Cisco ISE will search for join points in the order in which they listed in the authorization policy, only until a particular user has been found. Once a user has been found the attributes and groups assigned to the user in the join point, will be used to evaluate the authorization policy. |
Note |
See Microsoft-imposed limits on the maximum number of usable Active Directory groups: http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=WS.10).aspx |
An authorization policy fails if the rule contains an Active Directory group name with special characters such as /, !, @, \, #, $, %, ^, &, *, (, ), _, +, or ~.
Use Explicit UPN
To reduce ambiguity when matching user information against Active Directory's User-Principal-Name (UPN) attributes, you must configure Active Directory to use Explicit UPN. Using Implicit UPN can produce ambiguous results if two users have the same value for sAMAccountName.
To set Explicit UPN in Active Directory, open the Advanced Tuning page, and set the attribute REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\UseExplicitUPN to 1.
Support for Boolean Attributes
Cisco ISE supports retrieving Boolean attributes from Active Directory and LDAP identity stores.
You can configure the Boolean attributes while configuring the directory attributes for Active Directory or LDAP. These attributes are retrieved upon authentication with Active Directory or LDAP.
The Boolean attributes can be used for configuring policy rule conditions.
The Boolean attribute values are fetched from Active Directory or LDAP server as String type. Cisco ISE supports the following values for the Boolean attributes:
Boolean attribute |
Supported values |
---|---|
True |
t, T, true, TRUE, True, 1 |
False |
f, F, false, FALSE, False, 0 |
Note |
Attribute substitution is not supported for the Boolean attributes. |
If you configure a Boolean attribute (for example, msTSAllowLogon) as String type, the Boolean value of the attribute in the Active Directory or LDAP server will be set for the String attribute in Cisco ISE. You can change the attribute type to Boolean or add the attribute manually as Boolean type.
Active Directory Certificate Retrieval for Certificate-Based Authentication
Cisco ISE supports certificate retrieval for user and machine authentication that uses the EAP-TLS protocol. The user or machine record on Active Directory includes a certificate attribute of the binary data type. This certificate attribute can contain one or more certificates. Cisco ISE identifies this attribute as userCertificate and does not allow you to configure any other name for this attribute. Cisco ISE retrieves this certificate and uses it to perform binary comparison.
The certificate authentication profile determines the field where the username is taken from in order to lookup the user in Active Directory to be used for retrieving certificates, for example, Subject Alternative Name (SAN) or Common Name. After Cisco ISE retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, Cisco ISE compares the certificates to check for one that matches. When a match is found, the user or machine authentication is passed.
Active Directory User Authentication Process Flow
When authenticating or querying a user, Cisco ISE checks the following:
-
MS-CHAP and PAP authentications check if the user is disabled, locked out, expired or out of logon hours and the authentication fails if some of these conditions are true.
-
EAP-TLS authentications checks if the user is disabled or locked out and the authentication fails if some of these conditions is met.
Support for Active Directory Multidomain Forests
Cisco ISE supports Active Directory with multidomain forests. Within each forest, Cisco ISE connects to a single domain, but can access resources from the other domains in the Active Directory forest if trust relationships are established between the domain to which Cisco ISE is connected and the other domains.
Refer to Release Notes for Cisco Identity Services Engine for a list of Windows Server Operating Systems that support Active Directory services.
Note |
Cisco ISE does not support Microsoft Active Directory servers that reside behind a network address translator and have a Network Address Translation (NAT) address. |
Prerequisites for Integrating Active Directory and Cisco ISE
This section describes the manual steps necessary in order to configure Active Directory for integration with Cisco ISE. However, in most cases, you can enable Cisco ISE to automatically configure Active Directory. The following are the prerequisites to integrate Active Directory with Cisco ISE.
-
Ensure you have Active Directory Domain Admin credentials, required in order to make changes to any of the AD domain configurations.
-
Ensure you have the privileges of a Super Admin or System Admin in ISE.
-
Use the Network Time Protocol (NTP) server settings to synchronize the time between the Cisco ISE server and Active Directory. You can configure NTP settings from Cisco ISE CLI.
-
Cisco ISE can connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. If you want to query other domains from a specific join point, ensure that trust relationships exist between the join point and the other domains that have user and machine information to which you need access. If trust relationships does not exist, you must create another join point to the untrusted domain. For more information on establishing trust relationships, refer to Microsoft Active Directory documentation.
-
You must have at least one global catalog server operational and accessible by Cisco ISE, in the domain to which you are joining Cisco ISE.
Active Directory Account Permissions Required to Perform Various Operations
Join Operations | Leave Operations | Cisco ISE Machine Accounts |
---|---|---|
The join operation requires the following account permissions:
It is not mandatory to be a domain administrator to perform a join operation. |
The leave operation requires the following account permissions:
If you perform a force leave (leave without the password), it will not remove the machine account from the domain. |
The ISE machine account that communicates to the Active Directory connection requires the following permissions:
You can precreate the machine account in Active Directory. If the SAM name matches the Cisco ISE appliance hostname, it is located during the join operation and re-used. If there are multiple join operations, multiple machine accounts are maintained inside Cisco ISE, one for each join. |
Note |
The credentials that are used for the join or leave operation are not stored in Cisco ISE. Only the newly created Cisco ISE machine account credentials are stored, which enables the Endpoint probe to run. |
Network Ports That Must Be Open for Communication
Protocol |
Port (remote-local) |
Target |
Authenticated |
Notes |
---|---|---|---|---|
DNS (TCP/UDP) |
Random number greater than or equal to 49152 |
DNS Servers/AD Domain Controllers |
No |
— |
MSRPC |
445 |
Domain Controllers |
Yes |
— |
Kerberos (TCP/UDP) |
88 |
Domain Controllers |
Yes (Kerberos) |
MS AD/KDC |
LDAP (TCP/UDP) |
389 |
Domain Controllers |
Yes |
— |
LDAP (GC) |
3268 |
Global Catalog Servers |
Yes |
— |
NTP |
123 |
NTP Servers/Domain Controllers |
No |
— |
IPC |
80 |
Other ISE Nodes in the Deployment |
Yes (Using RBAC credentials) |
— |
DNS Server
While configuring your DNS server, make sure that you take care of the following:
-
The DNS servers that you configure in Cisco ISE must be able to resolve all forward and reverse DNS queries for the domains that you want to use.
-
The Authoritative DNS server is recommended to resolve Active Directory records, as DNS recursion can cause delays and have significant negative impact on performance.
-
All DNS servers must be able to answer SRV queries for DCs, GCs, and KDCs with or without additional Site information.
-
Cisco recommends that you add the server IP addresses to SRV responses to improve performance.
-
Avoid using DNS servers that query the public Internet. They can leak information about your network when an unknown name has to be resolved.
Configure Active Directory as an External Identity Source
Configure Active Directory as an external identity source as part of the configuration for features such as Easy Connect and the PassiveID Work Center. For more information about these features, see Easy Connect and PassiveID Work Center.
Before you configure Active Directory as an External Identity Source, make sure that:
-
The Microsoft Active Directory server does not reside behind a network address translator and does not have a Network Address Translation (NAT) address.
-
The Microsoft Active Directory account intended for the join operation is valid and is not configured with the Change Password on Next Login.
-
You have the privileges of a Super Admin or System Admin in ISE.
Note |
If you see operational issues when Cisco ISE is connected to Active Directory, see the AD Connector Operations Report under . |
You must perform the following tasks to configure Active Directory as an external identity source.
Add an Active Directory Join Point and Join Cisco ISE Node to the Join Point
Before you begin
Make sure that the Cisco ISE node can communicate with the networks where the NTP servers, DNS servers, domain controllers, and global catalog servers are located. You can check these parameters by running the Domain Diagnostic tool.
Join points must be created in order to work with Active Directory as well as with the Agent, Syslog, SPAN and Endpoint probes of the Passive ID Work Center.
If you want to use IPv6 when integrating with Active Directory, then you must ensure that you have configured an IPv6 address for the relevant ISE nodes.
Procedure
Step 1 |
Choose . |
||||||
Step 2 |
Click Add and enter the domain name and identity store name from the Active Directory Join Point Name settings. |
||||||
Step 3 |
Click Submit. A pop-up appears asking if you want to join the newly created join point to the domain. Click Yes if you want to join immediately. If you clicked No, then saving the configuration saves the Active Directory domain configuration globally (in the primary and secondary policy service nodes), but none of the Cisco ISE nodes are joined to the domain yet. |
||||||
Step 4 |
Check the checkbox next to the new Active Directory join point that you created and click Edit, or click on the new Active Directory join point from the navigation pane on the left. The deployment join/leave table is displayed with all the Cisco ISE nodes, the node roles, and their status. |
||||||
Step 5 |
Check the checkbox next to the relevant Cisco ISE nodes and click Join to join the Cisco ISE node to the Active Directory domain. You must do this explicitly even though you saved the configuration. To join multiple Cisco ISE nodes to a domain in a single operation, the username and password of the account to be used must be the same for all join operations. If different username and passwords are required to join each Cisco ISE node, the join operation should be performed individually for each Cisco ISE node. |
||||||
Step 6 |
Enter the Active Directory username and password from the Join Domain dialog box that opens. It is strongly recommended that you choose
Store credentials, in which case your
administrator's user name and password
will be saved in order to be used for all Domain Controllers (DC) that are
configured for monitoring.
The user used for the join operation should exist in the domain itself. If it exists in a different domain or subdomain, the username should be noted in a UPN notation, such as jdoe@acme.com. |
||||||
Step 7 |
(Optional) Check the Specify Organizational Unit checkbox. You should check this checkbox in case the Cisco ISE node machine account is to be located in a specific Organizational Unit other than CN=Computers,DC=someDomain,DC=someTLD. Cisco ISE creates the machine account under the specified organizational unit or moves it to this location if the machine account already exists. If the organizational unit is not specified, Cisco ISE uses the default location. The value should be specified in full distinguished name (DN) format. The syntax must conform to the Microsoft guidelines. Special reserved characters, such as /'+,;=<> line feed, space, and carriage return must be escaped by a backslash (\). For example, OU=Cisco ISE\,US,OU=IT Servers,OU=Servers\, and Workstations,DC=someDomain,DC=someTLD. If the machine account is already created, you need not check this checkbox. You can also change the location of the machine account after you join to the Active Directory domain. |
||||||
Step 8 |
Click OK. You can select more than one node to join to the Active Directory domain. If the join operation is not successful, a failure message appears. Click the failure message for each node to view detailed logs for that node.
|
What to do next
Configure Active Directory User Groups
Configure authentication domains.
Add Domain Controllers
Procedure
Step 1 |
Choose Active Directory. and then from the left panel choose |
||
Step 2 |
Check the check box next to the Active Directory join point that you created and click Edit. The deployment join/leave table is displayed with all the Cisco ISE nodes, the node roles, and their statuses. |
||
Step 3 |
Go to the PassiveID tab and click Add DCs.
|
||
Step 4 |
Check the check box next to the domain controllers that you would like to add to the join point for monitoring and click OK. The domain controllers appear in the Domain Controllers list of the PassiveID tab.
|
||
Step 5 |
Configure the domain controller:
|
The DC failover mechanism is managed based on the DC priority list, which determines the order in which the DCs are selected in case of failover. If a DC is offline or not reachable due to some error, its priority is decreased in the priority list. When the DC comes back online, its priority is adjusted accordingly (increased) in the priority list.
Note |
Cisco ISE does not support Read-only Domain Controller for authentication flows. |
Configure WMI for Passive ID
Before you begin
Procedure
Step 1 |
Choose . |
Step 2 |
Check the checkbox next to the Active Directory join point that you created and click Edit. The deployment join/leave table is displayed with all the Cisco ISE nodes, the node roles, and their statuses. For more information, see Table 2. |
Step 3 |
Go to the Passive ID tab, check the check box next to the relevant domain controllers and click Config WMI to enable ISE to automatically configure the domain controllers you selected. To configure Active Directory and Domain Controllers manually, or to troubleshoot any problems with configuration, see Prerequisites for Integrating Active Directory and Cisco ISE.
|
Leave the Active Directory Domain
If you no longer need to authenticate users or machines from this Active Directory domain or from this join point, you can leave the Active Directory domain.
When you reset the Cisco ISE application configuration from the command-line interface or restore configuration after a backup or upgrade, it performs a leave operation, disconnecting the Cisco ISE node from the Active Directory domain, if it is already joined. However, the Cisco ISE node account is not removed from the Active Directory domain. We recommend that you perform a leave operation from the Admin portal with the Active Directory credentials because it also removes the node account from the Active Directory domain. This is also recommended when you change the Cisco ISE hostname.
Before you begin
If you leave the Active Directory domain, but still use Active Directory as an identity source for authentication (either directly or as part of an identity source sequence), authentications may fail.
Procedure
Step 1 |
Choose . |
||
Step 2 |
Check the checkbox next to the Active Directory join point that you created and click Edit. The deployment join/leave table is displayed with all the Cisco ISE nodes, the node roles, and their statuses. |
||
Step 3 |
Check the checkbox next to the Cisco ISE node and click Leave. |
||
Step 4 |
Enter the Active Directory username and password, and click OK to leave the domain and remove the machine account from the Cisco ISE database. If you enter the Active Directory credentials, the Cisco ISE node leaves the Active Directory domain and deletes the Cisco ISE machine account from the Active Directory database.
|
||
Step 5 |
If you do not have the Active Directory credentials, check the No Credentials Available checkbox, and click OK. If you check the Leave domain without credentials checkbox, the primary Cisco ISE node leaves the Active Directory domain. The Active Directory administrator must manually remove the machine account that was created in Active Directory during the time of the join. |
Configure Authentication Domains
The domain to which Cisco ISE is joined to has visibility to other domains with which it has a trust relationship. By default, Cisco ISE is set to permit authentication against all those trusted domains. You can restrict interaction with the Active Directory deployment to a subset of authentication domains. Configuring authentication domains enables you to select specific domains for each join point so that the authentications are performed against the selected domains only. Authentication domains improves security because they instruct Cisco ISE to authenticate users only from selected domains and not from all domains trusted from join point. Authentication domains also improve performance and latency of authentication request processing because authentication domains limit the search area (that is, where accounts matching to incoming username or identity will be searched). It is especially important when incoming username or identity does not contain domain markup (prefix or suffix). Due to these reasons, configuring authentication domains is a best practice, and we highly recommended it.
Procedure
Step 1 |
Choose . |
Step 2 |
Click the Authentication Domains tab. A table appears with a list of your trusted domains. By default, Cisco ISE permits authentication against all trusted domains. |
Step 3 |
To allow only specified domains, uncheck Use all Active Directory domains for authentication check box. |
Step 4 |
Check the check box next to the domains for which you want to allow authentication, and click Enable Selected. In the Authenticate column, the status of this domain changes to Yes. You can also disable selected domains. |
Step 5 |
Click Show Unusable Domains to view a list of domains that cannot be used. Unusable domains are domains that Cisco ISE cannot use for authentication due to reasons such as one-way trust, selective authentication and so on. |
What to do next
Configure Active Directory user groups.
Configure Active Directory User Groups
You must configure Active Directory user groups for them to be available for use in authorization policies. Internally, Cisco ISE uses security identifiers (SIDs) to help resolve group name ambiguity issues and to enhance group mappings. SID provides accurate group assignment matching.
Procedure
Step 1 |
Choose . |
||
Step 2 |
Click the Groups tab. |
||
Step 3 |
Do one of the following:
Do not use double quotes (”) in the group name for the user interface login.
|
||
Step 4 |
If you are manually selecting a group, you can search for them using a filter. For example, enter admin* as the filter criteria and click Retrieve Groups to view user groups that begin with admin. You can also enter the asterisk (*) wildcard character to filter the results. You can retrieve only 500 groups at a time. |
||
Step 5 |
Check the check boxes next to the groups that you want to be available for use in authorization policies and click OK. |
||
Step 6 |
If you choose to manually add a group, enter a name and SID for the new group. |
||
Step 7 |
Click OK. |
||
Step 8 |
Click Save.
|
What to do next
Configure Active Directory user attributes.
Configure Active Directory User and Machine Attributes
You must configure Active Directory user and machine attributes to be able to use them in conditions in authorization policies.
Procedure
Step 1 |
Choose Active Directory. > |
||
Step 2 |
Click the Attributes tab. |
||
Step 3 |
Choose to manually add a attribute, or choose to choose a list of attributes from the directory.Cisco ISE allows you to configure the AD with IPv4 or IPv6 address for user authentication when you manually add the attribute type IP. |
||
Step 4 |
If you choose to add attributes from the directory, enter the name of a user in the Sample User or Machine Account field, and click Retrieve Attributes to obtain a list of attributes for users. For example, enter administrator to obtain a list of administrator attributes. You can also enter the asterisk (*) wildcard character to filter the results.
|
||
Step 5 |
Check the check boxes next to the attributes from Active Directory that you want to select, and click OK. |
||
Step 6 |
If you choose to manually add an attribute, enter a name for the new attribute. |
||
Step 7 |
Click Save. |
Modify Password Changes, Machine Authentications, and Machine Access Restriction Settings
Before you begin
You must join Cisco ISE to the Active Directory domain. For more information, see Add an Active Directory Join Point and Join Cisco ISE Node to the Join Point.
Procedure
Step 1 |
Choose . |
Step 2 |
Check the check box next to the relevant Cisco ISE node and click Edit . |
Step 3 |
Click the Advanced Settings tab. |
Step 4 |
Modify as required, the Password Change, Machine Authentication, and Machine Access Restrictions (MARs) settings. These options are enabled by default. Enable Machine Access Restrictions - Aging Time: The time in hours before a MAC address in the MAR cache times out, and is deleted. |
Step 5 |
Check the Enable dial-in check check box to check the dial-in permissions of the user during authentication or query. The result of the check can cause a reject of the authentication in case the dial-in permission is denied. |
Step 6 |
Check the Enable callback check for dial-in clients check box if you want the server to call back the user during authentication or query. The IP address or phone number used by the server can be set either by the caller or the network administrator. The result of the check is returned to the device on the RADIUS response. |
Step 7 |
Check the Use Kerberos for Plain Text Authentications check box if you want to use Kerberos for plain-text authentications. The default and recommended option is MS-RPC. Kerberos is used in ISE 1.2. |
Machine Access Restriction (MAR) Cache
Cisco ISE stores the MAR cache content, calling-station-ID list, and the corresponding time stamps to a file on its local disk when you manually stop the the application services. Cisco ISE does not store the MAR cache entries of an instance when there is an accidental restart of the application services. Cisco ISE reads the MAR cache entries from the file on its local disk based on the cache entry time to live when the application services restart. When the application services come up after a restart, Cisco ISE compares the current time of that instance with the MAR cache entry time. If the difference between the current time and the MAR entry time is greater than the MAR cache entry time to live, then Cisco ISE does not retrieve that entry from disk. Otherwise, Cisco ISE retrieves that MAR cache entry and updates its MAR cache entry time to live.
To Configure MAR Cache
On Advanced Settings tab of the Active Directory defined in External Identity Sources, verify that the following options are checked:
-
Enable Machine Authentication: To enable machine authentication.
-
Enable Machine Access Restriction: To combine user and machine authentication before authorization.
To Use MAR Cache in Authorization
Use WasMachineAuthenticated is True
in an authorization policy. You can use this rule plus a credentials rule to do dual-authentication. Machine authentication
must be done before AD credentials.
If you created a Node Group on the System > Deployment page, enable MAR Cache Distribution. MAR cache distribution replicates the MAR cache to all the PSNs in the same node group.
For More Information
See the following Cisco ISE Community pages:
-
Why is MAR useful even when EAP-TLS is available https://community.cisco.com/t5/policy-and-access/mar-why-is-it-useful/td-p/3213527
-
MAR aging time vs AnyConnect EAP-TLS https://community.cisco.com/t5/policy-and-access/ise-2-1-mar-aging-time-eap-tls/td-p/3209628
Configure Custom Schema
Before you begin
You must join Cisco ISE to the Active Directory domain.
Procedure
Step 1 |
Choose . |
Step 2 |
Select the Join point. |
Step 3 |
Click the Advanced Settings tab. |
Step 4 |
Under the Schema section, select the Custom option from the Schema drop-down list. You can update the user information attributes based on your requirements. These attributes are used to collect user information, such as, first name, last name, email, telephone, locality, and so on. Predefined attributes are used for the Active Directory schema (built-in schema). If you edit the attributes of the predefined schema, Cisco ISE automatically creates a custom schema. |
Support for Active Directory Multi-Join Configuration
Cisco ISE supports multiple joins to Active Directory domains. Cisco ISE supports up to 50 Active Directory joins. Cisco ISE can connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. Active Directory multi-domain join comprises a set of distinct Active Directory domains with their own groups, attributes, and authorization policies for each join.
You can join the same forest more than once, that is, you can join more than one domain in the same forest, if necessary.
Cisco ISE now allows to join domains with one-way trust. This option helps bypass the permission issues caused by a one-way trust. You can join either of the trusted domains and hence be able to see both domains.
-
Join Point—In Cisco ISE, each independent join to an Active Directory domain is called a join point. The Active Directory join point is an Cisco ISE identity store and can be used in authentication policy. It has an associated dictionary for attributes and groups, which can be used in authorization conditions.
-
Scope—A subset of Active Directory join points grouped together is called a scope. You can use scopes in authentication policy in place of a single join point and as authentication results. Scopes are used to authenticate users against multiple join points. Instead of having multiple rules for each join point, if you use a scope, you can create the same policy with a single rule and save the time that Cisco ISE takes to process a request and help improve performance. A join point can be present in multiple scopes. A scope can be included in an identity source sequence. You cannot use scopes in an authorization policy condition because scopes do not have any associated dictionaries.
When you perform a fresh Cisco ISE install, by default no scopes exist. This is called the no scope mode. When you add a scope, Cisco ISE enters multi-scope mode. If you want, you can return to no scope mode. All the join points will be moved to the Active Directory folder.-
Initial_Scope is an implicit scope that is used to store the Active Directory join points that were added in no scope mode. When multi-scope mode is enabled, all the Active Directory join points move into the automatically created Initial_Scope. You can rename the Initial_Scope.
-
All_AD_Instances is a built-in pseudo scope that is not shown in the Active Directory configuration. It is only visible as an authentication result in policy and identity sequences. You can select this scope if you want to select all Active Directory join points configured in Cisco ISE.
-
Create a New Scope to Add Active Directory Join Points
Procedure
Step 1 |
Choose . |
Step 2 |
Click Scope Mode. A default
scope called Initial_Scope is created, and all the current join points are
placed under this scope.
|
Step 3 |
To create more scopes, click Add. |
Step 4 |
Enter a name and a description for the new scope. |
Step 5 |
Click Submit. |
Identity Rewrite
Identity rewrite is an advanced feature that directs Cisco ISE to manipulate the identity before it is passed to the external Active Directory system. You can create rules to change the identity to a desired format that includes or excludes a domain prefix and/or suffix or other additional markup of your choice.
Identity rewrite rules are applied on the username or hostname received from the client, before being passed to Active Directory, for operations such as subject searches, authentication, and authorization queries. Cisco ISE will match the condition tokens and when the first one matches, Cisco ISE stops processing the policy and rewrites the identity string according to the result.
During the rewrite, everything enclosed in square bracket [ ] (such as [IDENTITY]) is a variable that is not evaluated on the evaluation side but instead added with the string that matches that location in the string. Everything without the brackets is evaluated as a fixed string on both the evaluation side and the rewrite side of the rule.
The following are some examples of identity rewrite, considering that the identity entered by the user is ACME\jdoe:
-
If identity matches ACME\[IDENTITY], rewrite as [IDENTITY].
The result would be jdoe. This rule instructs Cisco ISE to strip all usernames with the ACME prefix.
-
If the identity matches ACME\[IDENTITY], rewrite as [IDENTITY]@ACME.com.
The result would be jdoe@ACME.com. This rule instructs Cisco ISE to change the format from prefix for suffix notation or from NetBIOS format to UPN formats.
-
If the identity matches ACME\[IDENTITY], rewrite as ACME2\[IDENTITY].
The result would be ACME2\jdoe. This rule instructs Cisco ISE to change all usernames with a certain prefix to an alternate prefix.
-
If the identity matches [ACME]\jdoe.USA, rewrite as [IDENTITY]@[ACME].com.
The result would be jdoe\ACME.com. This rule instructs Cisco ISE to strip the realm after the dot, in this case the country and replace it with the correct domain.
-
If the identity matches E=[IDENTITY], rewrite as [IDENTITY].
The result would be jdoe. This is an example rule that can be created when an identity is from a certificate, the field is an email address, and Active Directory is configured to search by Subject. This rule instructs Cisco ISE to remove ‘E=’.
-
If the identity matches E=[EMAIL],[DN], rewrite as [DN].
This rule will convert certificate subject from E=jdoe@acme.com, CN=jdoe, DC=acme, DC=com to pure DN, CN=jdoe, DC=acme, DC=com. This is an example rule that can be created when identity is taken from a certificate subject and Active Directory is configured to search user by DN . This rule instructs Cisco ISE to strip email prefix and generate DN.
The following are some common mistakes while writing the identity rewrite rules:
-
If the identity matches [DOMAIN]\[IDENTITY], rewrite as [IDENTITY]@DOMAIN.com.
The result would be jdoe@DOMAIN.com. This rule does not have [DOMAIN] in square brackets [ ] on the rewrite side of the rule.
-
If the identity matches DOMAIN\[IDENTITY], rewrite as [IDENTITY]@[DOMAIN].com.
Here again, the result would be jdoe@DOMAIN.com. This rule does not have [DOMAIN] in square brackets [ ] on the evaluation side of the rule.
Identity rewrite rules are always applied within the context of an Active Directory join point. Even if a scope is selected as the result of an authentication policy, the rewrite rules are applied for each Active Directory join point. These rewrite rules also applies for identities taken from certificates if EAP-TLS is being used.
Enable Identity Rewrite
Note |
This configuration task is optional. You can perform it to reduce authentication failures that can arise because of various reasons such as ambiguous identity errors. |
Before you begin
You must join Cisco ISE to the Active Directory domain.
Procedure
Step 1 |
Choose . |
Step 2 |
Click the Advanced Settings tab. |
Step 3 |
Under the Identity Rewrite section, choose whether you want to apply the rewrite rules to modify usernames. |
Step 4 |
Enter the match conditions and the rewrite results. You can remove the default rule that appears and enter the rule according to your requirement. Cisco ISE processes the policy in order, and the first condition that matches the request username is applied. You can use the matching tokens (text contained in square brackets) to transfer elements of the original username to the result. If none of the rules match, the identity name remains unchanged. You can click the Launch Test button to preview the rewrite processing. |
Identity Resolution Settings
Some type of identities include a domain markup, such as a prefix or a suffix. For example, in a NetBIOS identity such as ACME\jdoe, “ACME” is the domain markup prefix, similarly in a UPN identity such as jdoe@acme.com, “acme.com” is the domain markup suffix. Domain prefix should match to the NetBIOS (NTLM) name of the Active Directory domain in your organization and domain suffix should match to the DNS name of Active Directory domain or to the alternative UPN suffix in your organization. For example jdoe@gmail.com is treated as without domain markup because gmail.com is not a DNS name of Active Directory domain.
The identity resolution settings allows you to configure important settings to tune the security and performance balance to match your Active Directory deployment. You can use these settings to tune authentications for usernames and hostnames without domain markup. In cases when Cisco ISE is not aware of the user's domain, it can be configured to search the user in all the authentication domains. Even if the user is found in one domain, Cisco ISE will wait for all responses in order to ensure that there is no identity ambiguity. This might be a lengthy process, subject to the number of domains, latency in the network, load, and so on.
Avoid Identity Resolution Issues
It is highly recommended to use fully qualified names (that is, names with domain markup) for users and hosts during authentication. For example, UPNs and NetBIOS names for users and FQDN SPNs for hosts. This is especially important if you hit ambiguity errors frequently, such as, several Active Directory accounts match to the incoming username; for example, jdoe matches to jdoe@emea.acme.com and jdoe@amer.acme.com. In some cases, using fully qualified names is the only way to resolve issue. In others, it may be sufficient to guarantee that the users have unique passwords. So, it is more efficient and leads to less password lockout issues if unique identities are used initially.
Configure Identity Resolution Settings
Note |
This configuration task is optional. You can perform it to reduce authentication failures that can arise because of various reasons such as ambiguous identity errors. |
Before you begin
You must join Cisco ISE to the Active Directory domain.
Procedure
Step 1 |
Choose . |
Step 2 |
Click the Advanced Settings tab. |
Step 3 |
Define the following settings for identity resolution for usernames or machine names under the Identity Resolution section. This setting provides you advanced control for user search and authentication. The first setting is for the identities without a markup. In such cases, you can select any of the following options:
The selection is made based on how the authentication domains are configured in Cisco ISE. If only specific authentication domains are selected, only those domains will be searched (for both “joined forest” or “all forests” selections). The second setting is used if Cisco ISE cannot communicate with all Global Catalogs (GCs) that it needs to in order to comply with the configuration specified in the “Authentication Domains” section. In such cases, you can select any of the following options:
|
Test Users for Active Directory Authentication
The Test User tool can be used to verify user authentication from Active Directory. You can also fetch groups and attributes and examine them. You can run the test for a single join point or for scopes.
Procedure
Step 1 |
Choose . |
Step 2 |
Choose one of the following options:
|
Step 3 |
Enter the username and password of the user (or host) in Active Directory. |
Step 4 |
Choose the authentication type. Password entry in Step 3 is not required if you choose the Lookup option. |
Step 5 |
Select the Cisco ISE node on which you want to run this test, if you are running this test for all join points. |
Step 6 |
Check the Retrieve Groups and Attributes checkboxes if you want to retrieve the groups and attributes from Active Directory. |
Step 7 |
Click Test. The result and steps of the test operation are displayed. The steps can help to identify the failure reason and troubleshoot.
You can also view the time taken (in milliseconds) for Active Directory to perform each processing step (for authentication, lookup, or fetching groups/attributes). Cisco ISE displays a warning message if the time taken for an operation exceeds the threshold. |
Delete Active Directory Configurations
You should delete Active Directory configurations if you are not going to use Active Directory as an external identity source. Do not delete the configuration if you want to join another Active Directory domain. You can leave the domain to which you are currently joined and join a new domain.
Before you begin
Ensure that you have left the Active Directory domain.
Procedure
Step 1 |
Choose . |
Step 2 |
Check the checkbox next to the configured Active Directory. |
Step 3 |
Check and ensure that the Local Node status is listed as Not Joined. |
Step 4 |
Click Delete. You have removed the configuration from the Active Directory database. If you want to use Active Directory at a later point in time, you can resubmit a valid Active Directory configuration. |
View Active Directory Joins for a Node
You can use the Node View button on the Active Directory page to view the status of all Active Directory join points for a given Cisco ISE node or a list of all join points on all Cisco ISE nodes.
Procedure
Step 1 |
Choose . |
Step 2 |
Click Node View. |
Step 3 |
Select a node from the ISE Node drop-down list. The table lists the status of Active Directory by node. If there are multiple join points and multiple Cisco ISE nodes in a deployment, this table may take several minutes to update.
|
Step 4 |
Click the join point Name link to go to that Active Directory join point page and perform other specific actions. |
Step 5 |
Click the link in the Diagnostic Summary column to go to the Diagnostic Tools page to troubleshoot specific issues. The diagnostic tool displays the latest diagnostics results for each join point per node. |
Diagnose Active Directory Problems
The Diagnostic Tool is a service that runs on every Cisco ISE node. It allows you to automatically test and diagnose the Active Directory deployment and execute a set of tests to detect issues that may cause functionality or performance failures when Cisco ISE uses Active Directory.
There are multiple reasons for which Cisco ISE might be unable to join or authenticate against Active Directory. This tool helps ensure that the prerequisites for connecting Cisco ISE to Active Directory are configured correctly. It helps detect problems with networking, firewall configurations, clock sync, user authentication, and so on. This tool works as a step-by-step guide and helps you fix problems with every layer in the middle, if needed .
Procedure
Step 1 |
Choose . |
Step 2 |
Click the Advanced Tools drop-down and choose Diagnostic Tools. |
Step 3 |
Select a Cisco ISE node to run the diagnosis on. If you do not select a Cisco ISE node then the test is run on all the nodes. |
Step 4 |
Select a specific Active Directory join point. If you do not select an Active Directory join point then the test is run on all the join points. |
Step 5 |
You can run the diagnostic tests either on demand or on a scheduled basis.
|
Step 6 |
Click View Test Details to view the details for tests with Warning or Failed status. This
table allows you to rerun specific tests, stop running tests, and view a report
of specific tests.
|
Enable Active Directory Debug Logs
Active Directory debug logs are not logged by default. You must enable this option on the Cisco ISE node that has assumed the Policy Service persona in your deployment. Enabling Active Directory debug logs may affect ISE performance.
Procedure
Step 1 |
Choose . |
Step 2 |
Click the radio button next to the Cisco ISE Policy Service node from which you want to obtain Active Directory debug information, and click Edit. |
Step 3 |
Click the Active Directory radio button, and click Edit. |
Step 4 |
Choose DEBUG from the drop-down list next to Active Directory. This will include errors, warnings, and verbose logs. To get full logs, choose TRACE. |
Step 5 |
Click Save. |
Obtain the Active Directory Log File for Troubleshooting
Download and view the Active Directory debug logs to troubleshoot issues you may have.
Before you begin
Active Directory debug logging must be enabled.
Procedure
Step 1 |
Choose . |
Step 2 |
Click the node from which you want to obtain the Active Directory debug log file. |
Step 3 |
Click the Debug Logs tab. |
Step 4 |
Scroll down this page to locate the ad_agent.log file. Click this file to download it. |
Active Directory Alarms and Reports
Alarms
Cisco ISE provides various alarms and reports to monitor and troubleshoot Active Directory related activities.
-
Configured nameserver not available
-
Joined domain is unavailable
-
Authentication domain is unavailable
-
Active Directory forest is unavailable
-
AD Connector had to be restarted
-
AD: ISE account password update failed
-
AD: Machine TGT refresh failed
Reports
-
RADIUS Authentications Report—This report shows detailed steps of the Active Directory authentication and authorization. You can find this report here:
. -
AD Connector Operations Report—The AD Connector Operations report provides a log of background operations performed by AD connector, such as Cisco ISE server password refresh, Kerberos ticket management, DNS queries, DC discovery, LDAP, and RPC connections management. If you encounter any Active Directory failures, you can review the details in this report to identify the possible causes. You can find this report here:
.
Active Directory Advanced Tuning
The advanced tuning feature provides node-specific settings used for support action under the supervision of Cisco support personnel, to adjust the parameters deeper in the system. These settings are not intended for normal administration flow, and should be used only under guidance.
Active Directory Identity Search Attributes
Cisco ISE identifies users using the attributes SAM, CN, or both. Cisco ISE, Release 2.2 Patch 5 and above, and 2.3 Patch 2 and above, use sAMAccountName attribute as the default attribute. In earlier releases, both SAM and CN attributes were searched by default. This behavior has changed in Release 2.2 Patch 5 and above, and 2.3 Patch 2 and above, as part of CSCvf21978 bug fix. In these releases, only the sAMAccountName attribute is used as the default attribute.
You can configure Cisco ISE to use SAM, CN, or both, if your environment requires it. When SAM and CN are used, and the value of the SAMAccountName attribute is not unique, Cisco ISE also compares the CN attribute value.
Note |
The identity search behavior has been changed in Cisco ISE 2.4 to search the SAM account name only, by default. To modify this default behavior, change the value of the "IdentityLookupField" flag as mentioned in the "Configure Attributes for Active Directory Identity Search" section. |
Configure Attributes for Active Directory Identity Search
-
Choose Active Directory window, click Advanced Tools, and choose Advanced Tuning. Enter the following details:
. In the-
ISE Node—Choose the ISE node that is connecting to Active Directory.
-
Name—Enter the registry key that you are changing. To change the Active Directory search attributes, enter:
REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\IdentityLookupField
-
Value—Enter the attributes that ISE uses to identify a user:
-
SAM—To use only SAM in the query (this option is the default).
-
CN—To use only CN in the query.
-
SAMCN—To use CN and SAM in the query.
-
-
Comment—Describe what you are changing, for example: Changing the default behavior to SAM and CN
-
-
Click Update Value to update the registry.
A pop-up window appears. Read the message and accept the change. The AD connector service in ISE restarts.
Example Search Strings
For the following examples, assume that the username is userd2only:
-
SAM search string—
filter=[(&(|(objectCategory=person)(objectCategory=computer))(|(cn=userd2only)(sAMAccountName=userd2only)))]
-
SAM and CN search string—
filter=[(&(|(objectCategory=person)(objectCategory=computer))(sAMAccountName=userd2only))]
Supplemental Information for Setting Up Cisco ISE with Active Directory
For configuring Cisco ISE with Active Directory, you must configure group policies, and configure a supplicant for machine authentication.
Configure Group Policies in Active Directory
For more information about how to access the Group Policy management editor, refer to the Microsoft Active Directory documentation.
Procedure
Step 1 |
Open the Group Policy management editor as shown in the following illustration. |
Step 2 |
Create a new policy and enter a descriptive name for it or add to an existing domain policy. Example: |
Step 3 |
Check the Define this policy setting check box, and click the Automatic radio button for the service startup mode as shown in the following illustration. |
Step 4 |
Apply the policy at the desired organizational unit or domain Active Directory level. The computers will receive the policy when they reboot and this service will be turned on. |
Configure Odyssey 5.X Supplicant for EAP-TLS Machine Authentications Against Active Directory
If you are using the Odyssey 5.x supplicant for EAP-TLS machine authentications against Active Directory, you must configure the following in the supplicant.
Procedure
Step 1 |
Start Odyssey Access Client. |
Step 2 |
Choose Odyssey Access Client Administrator from the Tools menu. |
Step 3 |
Double-click the Machine Account icon. |
Step 4 |
From the Machine Account page, you must configure a profile for EAP-TLS authentications: |
AnyConnect Agent for Machine Authentication
When you configure AnyConnect Agent for machine authentication, you can do one of the following:
-
Use the default machine hostname, which includes the prefix “host/.”
-
Configure a new profile, in which case you must include the prefix “host/” and then the machine name.
Active Directory Requirements to Support Easy Connect and Passive Identity services
Easy Connect and Passive Identity services use Active Directory login audit events generated by the Active Directory domain controller to gather user login information. The Active Directory server must be configured properly so the ISE user can connect and fetch the user login information. The following sections show how configure the Active Directory domain controller (configurations from the Active Directory side) to support Easy Connect and Passive Identity services.
In order to configure Active Directory domain controllers (configurations from the Active Directory side) to support Easy Connect and Passive Identity services use, follow these steps:
-
Set up Active Directory join points and domain controllers from ISE. See Add an Active Directory Join Point and Join Cisco ISE Node to the Join Point and Add Domain Controllers.
-
Configure WMI per domain controller. See Configure WMI for Passive ID.
-
Perform the following steps from Active Directory:
-
(Optional) Troubleshoot automatic configurations performed by ISE on Active Directory with these steps:
Configure Active Directory for Passive Identity service
ISE Easy Connect and Passive Identity services use Active Directory login audit events generated by the Active Directory domain controller to gather user login information. ISE connects to Active Directory and fetches the user login information.
The following steps should be performed from the Active Directory domain controller:
Procedure
Step 1 |
Make sure relevant Microsoft patches are installed on the Active Directory domain controllers. |
|||||||||||||||||||||
Step 2 |
Make sure the Active Directory logs the user login events in the Windows Security Log. Verify that the settings of the “Audit Policy” (part of the “Group Policy Management” settings) allows successful logons to generate the necessary events in the Windows Security Log (this is the default Windows setting, but you must explicitly ensure that this setting is correct). See Setting the Windows Audit Policy. |
|||||||||||||||||||||
Step 3 |
You must have an Active Directory user with sufficient permissions for ISE to connect to the Active Directory. The following instructions show how to define permissions either for admin domain group user or none admin domain group user:
|
|||||||||||||||||||||
Step 4 |
The Active Directory user used by ISE can be authenticated either by NT Lan Manager (NTLM) v1 or v2. You need to verify that the Active Directory NTLM settings are aligned with ISE NTLM settings to ensure successful authenticated connection between ISE and the Active Directory Domain Controller. The following table shows all Microsoft NTLM options, and which ISE NTLM actions are supported. If ISE is set to NTLMv2, all six options described in are supported. If ISE is set to support NTLMv1, only the first five options are supported.
|
|||||||||||||||||||||
Step 5 |
Make sure that you have created a firewall rule to allow traffic to dllhost.exe on Active Directory domain controllers. You can either turn the firewall off, or allow access on a specific IP (ISE IP address) to the following ports:
Higher ports are assigned dynamically or you can configure them manually. We recommend that you add %SystemRoot%\System32\dllhost.exe as a target. This program manages ports dynamically. All firewall rules can be assigned to specific IP (ISE IP). |
Set the Windows Audit Policy
Ensure that the Audit Policy (part of the Group Policy Management settings) allows successful logons. This is required to generate the necessary events in the Windows Security Log of the AD domain controller machine. This is the default Windows setting, but you must verify that this setting is correct.
Procedure
Step 1 |
Choose . |
||
Step 2 |
Navigate under Domains to the relevant domain and expand the navigation tree. |
||
Step 3 |
Choose Default Domain Controller Policy, right click and choose Edit. The Group Policy Management Editor appears. |
||
Step 4 |
Choose .
|
||
Step 5 |
If any Audit
Policy item settings have been changed, you should then run
|
Set Permissions When AD User in the Domain Admin Group
For Windows 2008 R2,Windows 2012, and Windows 2012 R2, the Domain Admin group does not have full control on certain registry keys in the Windows operating system by default. The Active Directory admin must give the Active Directory user Full Control permissions on the following registry keys:
-
HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
-
HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
No registry changes are required for the following Active Directory versions:
-
Windows 2003
-
Windows 2003R2
-
Windows 2008
To grant full control, the Active Directory admin must first take ownership of the key, as shown below.
Procedure
Step 1 |
Go to the Owner tab by right clicking the key. |
Step 2 |
Click Permissions. |
Step 3 |
Click Advanced. |
Required Permissions when AD User not in Domain Admin Group
For Windows 2012 R2, give the Active Directory user Full Control permissions on the following registry keys:
-
HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
-
HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
The following permissions also are required when an Active Directory user is not in the Domain Admin group, but is in the Domain Users group:
-
Add Registry Keys to Allow ISE to Connect to the Domain Controller (see below)
These permissions are only required for the following Active Directory versions:
-
Windows 2003
-
Windows 2003R2
-
Windows 2008
-
Windows 2008 R2
-
Windows 2012
-
Windows 2012 R2
-
Windows 2016
Add Registry Keys to Allow ISE to Connect to the Domain Controller
You must manually add some registry keys to the domain controller to allow ISE to connect as a Domain User, and retrieve login authentication events. An agent is not required on the domain controllers or on any machine in the domain.
The following registry script shows the keys to add. You can copy and paste this into a text file, save the file with a .reg extension, and double click the file to make the registry changes. To add registry keys, the user must be an owner of the root key.
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}]
"AppID"="{76A64158-CB41-11D1-8B02-00600806D9B6}"
[HKEY_CLASSES_ROOT\AppID\{76A64158-CB41-11D1-8B02-00600806D9B6}]
"DllSurrogate"=" "
[HKEY_CLASSES_ROOT\Wow6432Node\AppID\{76A64158-CB41-11D1-8B02-00600806D9B6}]
"DllSurrogate"=" "
Make sure that you include two spaces in the value of the key DllSurrogate.
Keep the empty lines as shown in the script above, including an empty line at the end of the file.
Permissions to Use DCOM on the Domain Controller
The Active Directory user used for ISE Passive Identity services must have permissions to use DCOM (remote COM) on the Domain Controller. You can configure permissions with the dcomcnfg command line tool.
Procedure
Step 1 |
Run the dcomcnfg tool from the command line. |
Step 2 |
Expand Component Services. |
Step 3 |
Expand . |
Step 4 |
Select Action from the menu bar, click properties, and click COM Security. |
Step 5 |
Make sure that the account that ISE will use for both Access and Launch has Allow permissions. That Active Directory user should be added to all the four options (Edit Limits and Edit Default for both Access Permissions and Launch and Activation Permissions). |
Step 6 |
Allow all Local and Remote access for both Access Permissions and Launch and Activation Permissions. |
Set Permissions for Access to WMI Root/CIMv2 Name Space
By default, Active Directory users do not have permissions for the Execute Methods and Remote Enable. You can grant access using the wmimgmt.msc MMC console.
Procedure
Step 1 |
Click Start
> Run and type
|
Step 2 |
Right-click WMI Control and click Properties. |
Step 3 |
Under the Security tab, expand Root and choose CIMV2. |
Step 4 |
Click Security. |
Step 5 |
Add the Active Directory user, and configure the required permissions as shown below. |
Grant Access to the Security Event Log on the AD Domain Controller
On Windows 2008 and later, you can grant access to the AD Domain controller logs by adding the ISE ID Mapping user to a group called Event Log Readers.
On all older versions of Windows, you must edit a registry key, as shown below.
Procedure
Step 1 |
To delegate access to the Security event logs, find the SID for the account . |
Step 2 |
Use the following command from the command line, also shown in the diagram below, to list all the SID accounts.
You can also use the following command for a specific username and domain:
|
Step 3 |
Find the SID, open the Registry Editor, and browse to the following location:
|
Step 4 |
Click on Security, and double click CustomSD. See Figure 2-7 For example, to allow read access to the ise_agent account |
Step 5 |
Restart the WMI service on the Domain Controller. You can restart the WMI services in the following two ways: |
Easy Connect
Easy Connect enables you to easily connect users from a wired endpoint to a network in a secure manner and monitor those users by authenticating them through an Active Directory Domain Controller and not by Cisco ISE. With Easy Connect, ISE collects user authentication information from the Active Directory Domain Controller. Because Easy Connect connects to a Windows system (Active Directory) using the MS WMI interface and queries logs from the Windows event messaging, it currently only supports Windows-installed endpoints. Easy Connect supports wired connections using MAB, which is much easier to configure than 802.1X. Unlike 802.1X, with Easy Connect and MAB:
-
You don't need to configure supplicants
-
You don't need to configure PKI
-
ISE issues a CoA after the external server (AD) authenticates the user
Easy Connect supports these modes of operation:
-
Enforcement-mode— ISE actively downloads the authorization policy to the network device for enforcement based on the user credentials.
-
Visibility-mode—ISE publishes session merge and accounting information received from the NAD device sensor in order to send that information to pxGrid.
In both cases, users authenticated with Active Directory (AD) are shown in the Cisco ISE live sessions view, and can be queried from the session directory using Cisco pxGrid interface by third-party applications. The known information is the user name, IP address, the AD DC host name and the AD DC NetBios name. For more information about pxGrid, see the pxGrid Node section in Cisco ISE Admin Guide: Deployment .
Once you have set up Easy Connect, you can then filter certain users, based on their name or IP address. For example, if you have an administrator from IT services who logs in to an endpoint in order to assist the regular user with that endpoint, you can filter out the administrator activity so it does not appear in Live Sessions, but rather only the regular user of that endpoint will appear. To filter passive identity services, see Filter Passive Identity Services.
Easy Connect Restrictions
-
MAC Authentication Bypass (MAB) supports Easy Connect. Both MAB and 802.1X can be configured on the same port, but you must have a different ISE policy for each service.
-
Only MAB connections are currently supported. You do not need a unique authentication policy for connections, because the connection is authorized and permissions are granted by an Easy Connect condition defined in the authorization policy.
-
Easy Connect is supported in High Availability mode. Multiple nodes can be defined and enabled with a Passive ID. ISE then automatically activates one PSN, while the other nodes remain in standby.
-
Only Cisco Network Access Devices (NADs) are supported.
-
IPv6 is not supported.
-
Wireless connections are not currently supported.
-
Only Kerberos auth events are tracked and therefore Easy Connect enables only user authentication and does not support machine authentication.
Easy Connect requires configuration in ISE, while the Active Directory Domain server must also have the correct patches and configuration based on instructions and guidelines issued by Microsoft. For information about configuring the Active Directory domain controller for ISE, see Active Directory Requirements to Support Easy Connect and Passive Identity services
Easy Connect Enforcement Mode
Easy Connect enables users to log on to a secure network from a wired endpoint (usually a PC) with a Windows operating system, by using MAC address bypass (MAB) protocol, and accessing Active Directory (AD) for authentication. ISE Easy Connect listens for a Windows Management Instrumentation (WMI) event from the Active Directory server for information about authenticated users. Once AD authenticates a user, the Domain Controller generates an event log that includes the user name and IP address allocated for the user. ISE receives notification of log in from AD, and then issues a RADIUS Change of Authorization (CoA).
Note |
MAC address lookup is not done for a MAB request when the Radius service-type is set to call-check. Therefore the return to the request is access-accept. This is the ISE default configuration. |
Easy Connect Enforcement Mode Process Flow
The Easy Connect Enforcement mode process is as follows:
-
The user connects to the NAD from a wired endpoint (such as a PC for example).
-
The NAD (which is configured for MAB) sends an access request to ISE. ISE responds with access, based on user configuration, allowing the user to access AD. Configuration must allow at least access to DNS, DHCP and AD.
-
The user logs in to the domain and a security audit event is sent to ISE.
-
ISE collects the MAC address from RADIUS and the IP address and domain name, as well as accounting information (login information) about the user, from the security audit event.
-
Once all data is collected and merged in the ISE session directory, ISE issues a CoA to the NAD (based on the appropriate policy managed in the policy service node (PSN)), and the user is provided access by the NAD to the network based on that policy.
For more information about configuring Enforcement mode, see Configure Easy Connect Enforcement-Mode.
Easy Connect Visibility Mode
With the Visibility mode, ISE only monitors accounting information from RADIUS (part of the device sensor feature in the NAD) and does not perform authorization. Easy Connect listens for RADIUS Accounting and WMI events, and publishes that information to logs and reports, (and optionally, to pxGrid). Both RADIUS accounting start and session termination are published to pxGrid during user login using Active Directory when pxGrid is setup.
For more information about configuring Easy Connect Visibility mode, see Configure Easy Connect Visibility-Mode .
Configure Easy Connect Enforcement-Mode
Before you begin
-
For best performance, deploy a dedicated PSN to recieve WMI events.
-
Create a list of Active Directory Domain Controllers for the WMI node, which receives AD login events.
-
Determine the Microsoft Domain that ISE must join to fetch user groups from Active Directory.
-
Determine the Active Directory groups that are used as a reference in the authorization policy.
-
If you are using pxGrid to share session data from network devices with other pxGrid-enabled systems, then define a pxGrid persona in your deployment. For more information about pxGrid, see the pxGrid Node section in Cisco ISE Admin Guide: Deployment
-
After successful MAB, the NAD must provide a limited-access profile, which allows the user on that port access to the Active Directory server (as described in the overview).
Procedure
Step 1 |
Enable the Passive Identity service on the dedicated Policy server (PSN) you intend to use for Easy Connect, so ISE can get group information and event information from Active Directory —Choose General Settings, enable Enable Passive Identity Service. , open a node, and under
|
||
Step 2 |
Configure an Active Directory join point and domain controller to be used by Easy Connect. To do this, and for more information, see Active Directory Requirements to Support Easy Connect and Passive Identity services. |
||
Step 3 |
Optionally, map AD domain controller groups in order to create different policies for different groups of users (for example, a different policy for Marketing employees versus Administration employees)—Choose , select the Active Directory to use, select the Groups tab, and add the Active Directory groups you plan to use in your authorization policies.The Active Directory groups that you map for the Domain Controller are
dynamically updated in the PassiveID dictionary and can then be used when you
set up your policy conditions rules.
|
||
Step 4 |
Activate passive identity tracking—Choose Passive Identify Tracking. . For any profiles to be used by Easy Connect, open the profile and enable
|
||
Step 5 |
Create policy rules—Choose Add. Then define the condition: , to create rules for Easy Connect. Click
|
||
Step 6 |
Click Submit. |
Configure Easy Connect Visibility-Mode
Before you begin
-
For best performance, deploy a dedicated PSN to recieve WMI events.
-
Create a list of Active Directory Domain Controllers for the WMI node, which receives AD login events.
-
Determine the Microsoft Domain that ISE must join to fetch user groups from Active Directory.
-
If you are using pxGrid to share session data from network devices with other pxGrid-enabled systems, then define a pxGrid persona in your deployment. For more information about pxGrid, see the pxGrid Node section in Cisco ISE Admin Guide: Deployment
Procedure
Step 1 |
Enable the Passive Identity service on the dedicated Policy server (PSN) you intend to use for Easy Connect, so ISE can get group information and event information from Active Directory —Choose General Settings, enable Enable Passive Identity Service. , open a node, and under |
Step 2 |
Configure an Active Directory join point and domain controller to be used by Easy Connect. To do this, and for more information, see Active Directory Requirements to Support Easy Connect and Passive Identity services. |
PassiveID Work Center
Passive Identity Connector (the PassiveID work center) offers a centralized, one-stop installation and implementation enabling you to easily and simply configure your network in order to receive and share user identity information with a variety of different security product subscribers such as Cisco Firepower Management Center (FMC) and Stealthwatch. As the full broker for passive identification, the PassiveID work center collects user identities from different provider sources, such as Active Directory Domain Controllers (AD DC), maps the user login information to the relevant IP addresses in use and then shares that mapping information with any of the subscriber security products that you have configured.
What is Passive Identity?
Standard flows offered by Cisco Identity Services Engine (ISE), which provide an authentication, authorization and accounting (AAA) server, and utilize technologies such as 802.1X or Web Authentication, communicate directly with the user or endpoint, requesting access to the network, and then using their login credentials in order to verify and actively authenticate their identity.
Passive identity services do not authenticate users directly, but rather gather user identities and IP addresses from external authentication servers such as Active Directory, known as providers, and then share that information with subscribers. the PassiveID work center first receives the user identity information from the provider, usually based on the user login and password, and then performs the necessary checks and services in order to match the user identity with the relevant IP address, thereby delivering the authenticated IP address to the subscriber.
Passive Identity Connector (the PassiveID work center) Flow
The flow for the PassiveID work center is as follows:
-
Provider performs the authentication of the user or endpoint.
-
Provider sends authenticated user information to .
-
ISE normalizes, performs lookups, merges, parses and maps user information to IP addresses and publishes mapped details to pxGrid.
-
pxGrid subscribers receive the mapped user details.
Initial Setup and Configuration
To get started using Cisco PassiveID work center quickly, follow this flow:
-
Ensure you have properly configured the DNS server, including configuring reverse lookup for the client machine from ISE. For more information, see DNS Server.
-
Enable the Passive Identity and pxGrid services on the dedicated Policy server (PSN) you intend to use for any of the Passive Identity services — Choose General Settings, enable Enable Passive Identity Service and pxGrid.
, open the relevant node, and under -
Synchronize clock settings for the NTP servers.
-
Configure an initial provider with the ISE Passive Identity Setup. For more information, see Getting Started with the PassiveID Setup
-
Configure a single or multiple subscribers. For more information, see Subscribers
After setting up an initial provider and subscriber, you can easily create additional providers (see the "Additional Passive Identity Service Providers" section in Cisco ISE Admin Guide: Asset Visibility) and manage your passive identification from the different providers in the PassiveID work center:
-
See the RADIUS Live Sessions section in Cisco ISE Admin Guide: Troubleshooting
-
See the Cisco ISE Alarms section in Cisco ISE Admin Guide: Troubleshooting
-
See the Reports section in Cisco ISE Admin Guide: Maintain and Monitor
-
See the TCP Dump Utility to Validate the Incoming Traffic section in Cisco ISE Admin Guide: Troubleshooting
PassiveID Work Center Dashboard
The Cisco PassiveID Work Center dashboard displays consolidated and correlated summary and statistical data that is essential for effective monitoring and troubleshooting, and is updated in real time. Dashlets show activity over the last 24 hours, unless otherwise noted. To access the dashboard, choose Dashboard. You can only view the Cisco PassiveID Work Center Dashboard in the Primary Administration Node (PAN). and then from the left panel choose
The Home page has two default dashboards that show a view of your PassiveID Work Center data:
-
Main—This view has a linear Metrics dashboard, chart dashlets, and list dashlets. In the PassiveID Work Center, the dashlets are not configurable. Available dashlets include:
-
Passive Identity Metrics—Passive Identity Metrics provides an overview of: the total number of unique live sessions currently being tracked, the total number of identity providers configured in the system, the total number of agents actively delivering identity data, and the total number of subscribers currently configured.
-
Providers—Providers provide user identity information to PassiveID Work Center. You configure the ISE probe (mechanisms that collect data from a given source) through which to receive information from the provider sources. For example, an Active Directory (AD) probe and an Agents probe both help ISE-PIC collect data from AD (each with different technology) while a Syslog probe collects data from a parser that reads syslog messages.
-
Subscribers—Subscribers connect to ISE to retrieve user identity information.
-
OS Types—The only OS type that can be displayed is Windows. Windows types display by Windows versions. Providers do not report the OS type, but ISE can query Active Directory to get that information. Up to 1000 entries are displayed in the dashlet. If you have more endpoints than that, or if you wish to display more OS types than Windows, you can upgrade to ISE.
-
Alarms—User identity-related alarms.
-
Active Directory as a Probe and a Provider
Active Directory (AD) is a highly secure and precise source from which to receive user identity information, including user name, IP address and domain name.
The AD probe, a Passive Identity service, collects user identity information from AD through WMI technology, while other probes use AD as a user identity provider through other technologies and methods. For more information about other probes and provider types offered by ISE, see the "Additional Passive Identity Service Providers" section in Cisco ISE Admin Guide: Asset Visibility.
By configuring the Active Directory probe you can also then quickly configure and enable these other probes (which also use Active Directory as their source):
-
Agent—Active Directory Agents
Note
The Active Directory agents are only supported on Windows Server 2008 and higher.
-
SPAN—SPAN
-
Endpoint probe—Endpoint Probe
In addition, configure the Active Directory probe in order to use AD user groups when collecting user information. You can use AD user groups for the AD, Agents, SPAN and Syslog probes. For more information about AD groups, see Configure Active Directory User Groups.
Set Up an Active Directory (WMI) Probe
To configure Active Directory and WMI for Passive Identity services you can use the Passive ID Work Center Wizard (see Getting Started with the PassiveID Setup) or you can follow the steps as follows (and see Active Directory Requirements to Support Easy Connect and Passive Identity services for additional information):
-
Configure the Active Directory probe. See Add an Active Directory Join Point and Join Cisco ISE Node to the Join Point.
-
Create a list of Active Directory Domain Controllers for the WMI-configured node (or nodes) that receives AD login events. See Add Domain Controllers.
-
Configure the Active Directory in order for it to integrate with ISE. See Configure WMI for Passive ID.
-
(Optional) Manage the Active Directory Provider.
Getting Started with the PassiveID Setup
Before you begin
-
Ensure the Microsoft Active Directory server does not reside behind a network address translator and does not have a Network Address Translation (NAT) address.
-
Ensure the Microsoft Active Directory account intended for the join operation is valid and is not configured with the Change Password on Next Login.
-
Ensure you have the privileges of a Super Admin or System Admin in ISE.
-
Enable the Passive Identity and pxGrid services on the dedicated Policy server (PSN) you intend to use for any of the Passive Identity services — Choose General Settings, enable Enable Passive Identity Service and pxGrid.
, open the relevant node, and under -
Ensure that ISE has an entry in the domain name server (DNS). Ensure you have properly configured reverse lookup for the client machine from ISE. For more information, see DNS Server
Procedure
Step 1 |
Choose Passive Identity Wizard. . From the Passive Identity Connector Overview screen, clickThe PassiveID Setup opens: |
Step 2 |
Click Next to begin the wizard. |
Step 3 |
From the Active Directory step, enter a unique name that distinguishes this configured Active Directory join point quickly and easily in Join Point Name, from Active Directory domain enter the domain name for the Active Directory Domain to which this node is connected, and enter your Active Directory administrator user name and password. For more information about these and other Active Directory settings, see Active Directory Settings. It is strongly recommended that you choose Store credentials, in which case your administrator's user name and password will be saved in order to be used for all Domain Controllers (DC) that are configured
for monitoring.
|
Step 4 |
Click Next to define Active Directory groups and check any user groups to be included and monitored. The Active Directory user groups automatically appear based on the Active Directory join point you configured in the previous
step.
|
Step 5 |
Click Next again to move to the Domain Controllers step. From the Domain Controllers step, select the DCs to be monitored. If you choose Custom, then from the next screen select the specific DCs for monitoring. When finished, click Next. Once you have selected specific DCs, you have finished creating your first Active Directory provider and the summary screen
itemizes the DCs selected and their details.
|
Step 6 |
Click Exit to complete the wizard. |
What to do next
When you finish configuring Active Directory as your initial provider, you can easily configure additional provider types as well. For more information, see the "Additional Passive Identity Service Providers" section in Cisco ISE Admin Guide: Asset Visibility. Furthermore, you can now also configure a subscriber, designated to receive the user identity information that is collected by any of the providers you have defined. For more information, see Subscribers.
Manage the Active Directory Provider
Once you have created and configured your Active Directory join points, continue to manage the Active Directory probe with these tasks:
Active Directory Settings
Active Directory (AD) is a highly secure and precise source from which to receive user information, including user name and IP address.
To create and manage Active Directory probes by creating and editing join points, choose Active Directory.
, from the left panel chooseFor more information, see Add an Active Directory Join Point and Join Cisco ISE Node to the Join Point.
Field | Description |
---|---|
Join Point Name |
A unique name that distinguishes this configured join point quickly and easily. |
Active Directory Domain |
The domain name for the Active Directory Domain to which this node is connected. |
Domain Administrator |
This is the user principal name or the user account name for the Active Directory user with administrator priveleges. |
Password |
This is the domain administrator's password as configured in Active Directory. |
Specifiy Organizational Unit |
Enter the administrator's organizational unit information |
Store Credentials |
It is strongly recommended that you choose Store credentials, in which case your administrator's user name and password will be saved in order to be used for all Domain Controllers (DC) that are configured
for monitoring.
For the Endpoint probe, you must choose Store credentials. |
Field | Description |
---|---|
ISE Node |
The URL for the specific node in the installation. |
ISE Node Role |
Indicates whether the node is the Primary or Secondary node in the installation. |
Status |
Indicates whether the node is actively joined to the Active Directory domain. |
Domain Controller |
For nodes that are joined to Active Directory, this column indicates the specific Domain Controller to which the node is connected in the Active Directory Domain. |
Site |
When an Active Directory forest is joined with ISE, this field indicates the specific Active Directory site within the forest as it appears in the Active Directory Sites & Services area. |
Choose
.Field | Description |
---|---|
Domain |
The fully qualified domain name of the server on which the domain controller is located. |
DC Host |
The host on which the domain controller is located. |
Site |
When an Active Directory forest is joined with ISE, this field indicates the specific Active Directory site within the forest as it appears in the Active Directory Sites & Services area. |
IP Address |
The IP address of the domain controller. |
Monitor Using |
Monitor Active Directory domain controllers for user identity information by one of these methods:
|
Choose Edit to edit an existing Domain Controller from the list.
. Click the link for the AD join point to be edited, go to the PassiveID tab and clickField | Description |
---|---|
Host FQDN |
Enter the fully qualified domain name of the server on which the domain controller is located. |
Description |
Enter a unique description for this domain controller in order to easily identiy it. |
User Name |
The administrator's user name for accessing Active Directory. |
Password |
The administrator's password for accessing Active Directory. |
Protocol |
Monitor Active Directory domain controllers for user identity information by one of these methods:
|
Description |
---|
Active Directory groups are defined and managed from Active Directory and the groups for the Active Directory that is joined to this node can be viewed from this tab. For more information about Active Directory, see https://msdn.microsoft.com/en-us/library/bb742437.aspx. |
Field | Description |
---|---|
History interval |
The time during which the Passive Identity service reads user login information that already occurred. This is required upon startup or restart of the Passive Identity service to catch up with events generated while it was unavailable. When the Endpoint probe is active, it maintains the frequency of this interval. |
User session aging time |
The amount of time the user can be logged in. The Passive Identity service identifies new user login events from the DC, however the DC does not report when the user logs off. The aging time enables Cisco ISE to determine the time interval for which the user is logged in. |
NTLM Protocol settings |
You can select either NTLMv1 or NTLMv2 as the communications protocol between Cisco ISE and the DC. NTLMv2 is the recommended default. |
Additional Passive Identity Service Providers
In order to enable ISE to provide identity information (Passive Identity Service ) to consumers that subscribe to the service (subscribers), you must first configure an ISE probe, which connects to the identity provider.
Providers that have been mapped and are actively delivering information to ISE can be viewed in the session directory, from the Live Sessions menu. For more information about Live Sessions, See the RADIUS Live Sessions section in Cisco ISE Admin Guide: Troubleshooting .
The table below provides details about all of the provider and probe types available from ISE, while the remainder of the chapter provides information regarding all types available except for Active Directory which is described in detail, in a dedicated chapter. For more information, see Active Directory as a Probe and a Provider.
You can define these provider types:
Provider Type (Probe) |
Description |
Source System (Provider) |
Technology |
User Identity Information Collected |
Document Link |
|
---|---|---|---|---|---|---|
Active Directory (AD) |
A highly secure and precise source, as well as the most common, from which to receive user information. As a probe, AD works with WMI technology to deliver authenticated user identities. In addition, AD itself, rather than the probe, functions as a source system (a provider) from which other probes retrieve user data as well. |
Active Directory Domain Controller |
WMI |
|
||
Agents |
A native 32-bit application installed on Active Directory domain controllers or on member servers. The Agent probe is a quick and efficient solution when using Active Directory for user identity information. |
Agents installed on the domain controller or on a member server. |
|
|
||
Endpoint |
Always runs in the background in addition to other configured probes, in order to verify whether the user is still connected. |
WMI |
Whether the user is still connected |
|||
SPAN |
Sits on the network switch in order to listen to network traffic, and extract user identity information based on Active Directory data. |
SPAN, installed on the switch, and Kerberos messages |
|
SPAN | ||
API providers |
Gather user identity information from any system programmed to communicate with a RESTful API client, using the RESTful API service offered by ISE. |
Any system programmed to communicate with a REST API client. |
RESTful APIs. User identity sent to subscribers in JSON format. |
|
||
Syslog |
Parse syslog messages and retrieve user identities, including MAC addresses. |
|
Syslog messages |
|
Active Directory Agents
From the Passive Identity service work center install the native 32-bit application, Domain Controller (DC) agents, anywhere on the Active Directory (AD) domain controller (DC) or on a member server (based on your configurations) to retrieve user identity information from AD and then send those identities to the subscribers you have configured. The Agent probe is a quick and efficient solution when using Active Directory for user identity information. Agents can be installed on a separate domain, or on the AD domain, and once installed, they provide status updates to ISE once every minute.
The agents can be either automatically installed and configured by ISE, or you can manually install them. Upon installation, the following occurs:
-
The agent and its associated files are installed at the following path: Program Files/Cisco/Cisco ISE PassiveID Agent
-
A config file called PICAgent.exe.config is installed indicating the logging level for the agent. You can manually change the logging level from within the config file.
-
The CiscoISEPICAgent.log file is stored with all logging messages.
-
The nodes.txt file contains the list of all nodes in the deployment with which the agent can communicate. The agent contacts the first node in the list. If that node cannot be contacted, the agent continues to attempt communication according to the order of the nodes in the list. For manual installations, you must open the file and enter the node IP addresses. Once installed (manually or automatically), you can only change this file by manually updating it. Open the file and add, change or delete node IP addresses as necessary.
-
The Cisco ISE PassiveID Agent service runs on the machine, which you can manage from the Windows Services dialog box.
-
ISE supports up to 100 domain controllers, while each agent can monitor up to 10 domain controllers.
Note
In order to monitor 100 domain controllers, you must configure 10 agents.
Note |
The Active Directory agents are only supported on Windows Server 2008 and higher. If you cannot install agents, then use the Active Directory probe for passive identity services. For more information, see Active Directory as a Probe and a Provider. |
Automatically Install and Deploy Active Directory Agents
Before you begin
Before you begin:
-
Configure reverse lookup for the relevant DNS servers from the server side. For more information about the DNS server configuration requirements for ISE, see DNS Server
-
Ensure Microsoft .NET Framework is updated for the machine designated for the agents, to a minimum of version 4.0. For more information about the .NET framework, see https://www.microsoft.com/net/framework.
-
Active Passive ID and pxGrid services. For more information, see Initial Setup and Configuration.
-
Create an AD join point and add at least one domain controller. For more information about creating join points, see Active Directory as a Probe and a Provider.
Use AD user groups for the AD, Agents, SPAN and Syslog probes. For more information about AD groups, see Configure Active Directory User Groups.
Procedure
Step 1 |
Choose Agents from the left panel to view all currently configured Domain Controller (DC) agents, to edit and delete existing agents, and to configure new agents. and then choose |
Step 2 |
To add a new agent, click Add from the top of the table. To edit or change an existing client, checkmark the agent from the table and click Edit from the top of the table. |
Step 3 |
To create the new agent and automatically install it on the host that you indicate in this configuration, select Deploy New Agent. |
Step 4 |
Complete all mandatory fields in order to configure the client correctly. For more information, see Active Directory Agent Settings. |
Step 5 |
Click Deploy. The agent
is automatically installed on the host according to the domain that you
indicated in the configuration, and the settings are saved. The agent now also
appears in the Agents table and can be applied to monitor specified domain
controllers, as described in the following steps.
|
Step 6 |
Choose Active Directory from the left panel to view all currently configured join points. and then choose |
Step 7 |
Click the link for the join point from which you would like to enable the agent you created. |
Step 8 |
Choose the Passive ID tab in order to work with the domain controllers that you added as part of the prerequisites. |
Step 9 |
Check mark the domain controller that you would like to monitor with the agent you created. and click Edit. |
Step 10 |
From the dialog box that opens, ensure the mandatory fields are completed, from the Protocol dropdown select Agent, from the Agent field that appears, select the agent you created from the dropdown list, enter the user name and password credentials if you created any for the agent, and click Save. The agent
is enabled for the domain controller and the dialog box closes.
|
Manually Install and Deploy Active Directory Agents
Before you begin
Before you begin:
-
Configure reverse lookup for the relevant DNS servers from the server side. For more information about the DNS server configuration requirements for ISE, see DNS Server
-
Ensure Microsoft .NET Framework is updated for the machine designated for the agents, to a minimum of version 4.0. For more information about the .NET framework, see https://www.microsoft.com/net/framework.
-
Active Passive ID and pxGrid services. For more information, see Initial Setup and Configuration.
-
Create an AD join point and add at least one domain controller. For more information about creating join points, see Active Directory as a Probe and a Provider.
Use AD user groups for the AD, Agents, SPAN and Syslog probes. For more information about AD groups, see Configure Active Directory User Groups.
Procedure
Step 1 |
Choose Agents from the left panel to view all currently configured Domain Controller (DC) agents, to edit and delete existing agents, and to configure new agents. and then choose |
Step 2 |
Click Download Agent to download the picagent-installer.zip file for manual installation. The file is downloaded to your standard Windows Download folder.
|
Step 3 |
Place the zip file on the designated host machine and run the installation. |
Step 4 |
From the ISE GUI, again choose Agents from the left panel. and then choose |
Step 5 |
To configure a new agent, click Add from the top of the table. To edit or change an existing client, checkmark the agent from the table and click Edit from the top of the table. |
Step 6 |
To configure the agent that you have already installed on the host machine, select Register Existing Agent. |
Step 7 |
Complete all mandatory fields in order to configure the client correctly. For more information, see Active Directory Agent Settings. |
Step 8 |
Click Save. The agent settings are saved. The agent now also appears in the Agents table and can be applied to monitor specified domain
controllers, as described in the following steps.
|
Step 9 |
Choose Active Directory from the left panel to view all currently configured join points. and then choose |
Step 10 |
Click the link for the join point from which you would like to enable the agent you created. |
Step 11 |
Choose the Passive ID tab in order to work with the domain controllers that you added as part of the prerequisites. |
Step 12 |
Check mark the domain controller that you would like to monitor with the agent you created. and click Edit. |
Step 13 |
From the dialog box that opens, ensure the mandatory fields are completed, from the Protocol dropdown select Agent, from the Agent field that appears, select the agent you created from the dropdown list, enter the user name and password credentials if you created any for the agent, and click Save. The agent is enabled for the domain controller and the dialog box closes.
|
Uninstall the Agent
Procedure
Step 1 |
From the Windows dialog, go to Programs and Features. |
Step 2 |
Find and select the Cisco ISE PassiveID Agent in the list of installed programs. |
Step 3 |
Click Uninstall. |
Active Directory Agent Settings
Allow ISE to automatically install agents on a specified host in the network in order to retrieve user identity information from different Domain Controllers (DC) and deliver that information to Passive Identity service subscribers.
To create and manage agents, choose Automatically Install and Deploy Active Directory Agents.
. SeeView current agent statuses from the Agents table. Choose
.Field | Description |
---|---|
Name |
The agent name as you configured it. |
Host |
The fully qualified domain name of the host on which the agent is installed. |
Monitoring |
This is a comma separated list of domain controllers that the specified agent is monitoring. |
Field | Description |
---|---|
Deploy New Agent or Register Existing Agent |
|
Name |
Enter a name by which you can easily recognize the agent. |
Description |
Enter a description by which you can easily recognize the agent. |
Host FQDN |
This is the fully qualified domain name for the host on which the agent is installed (register existing agent), or is to be installed (automatic deployment). |
User Name |
Enter your user name in order to access the host on which to install the agent. Passive Identity service uses these credentials in order to install the agent for you. |
Password |
Enter your user password in order to access the host on which to install the agent. Passive Identity service uses these credentials in order to install the agent for you. |
API Providers
The API Providers feature in Cisco ISE enables you to push user identity information from your customized program or from the terminal server (TS)-Agent to the built-in ISE passive identity services REST API service. In this way, you can customize a programmable client from your network to send user identities that were collected from any network access control (NAC) system to the service. Furthermore, the Cisco ISE API provider enables you to interface with network applications such as the TS-Agent on a Citrix server, where all users have the same IP address but are assigned unique ports.
For example, an agent running on a Citrix server that provides identity mappings for users authenticated against an Active Directory (AD) server can send REST requests to ISE to add or delete a user session whenever a new user logs in or off. ISE then takes the user identity information, including the IP address and assigned ports, delivered from the client and sends it to pre-configured subscribers, such as the Cisco Firepower Management Center (FMC).
The ISE REST API framework implements the REST service over the HTTPS protocol (no client certificate validation necessary) and the user identity information is delivered in JSON (JavaScript Object Notation) format. For more information about JSON, see http://www.json.org/ .
The ISE REST API service parses user identities and in addition, maps that information to port ranges, in order to distinguish between the different users logged in simultaneously to one system. Everytime a port is allocated to a user, the API sends a message to ISE.
The REST API Provider Flow
Once you have configured a bridge to your customized client from ISE by declaring that client as a Provider for ISE and enabling that specific customized program (the client) to send RESTful requests, the ISE REST service works in the following way:
-
For client authentication, ISE requires an authentication token. A customized program on the client machine sends a request for an authentication token when initiating contact and then every time ISE notifies that the previous token has expired. The token is returned in response to the request, enabling ongoing communication between the client, and the ISE service.
-
Once a user has logged into the network, the client retrieves user identity information and posts that informaiton to the ISE REST service using the API Add command.
-
ISE receives and maps the user identity information.
-
ISE sends the mapped user identity information to the subscriber.
-
Whenever necessary, the customized machine can send a request to remove user information by sending a Remove API call and including the user ID received as the response when the Add call was sent.
Work with REST API Providers in ISE
Follow these steps to activate the REST service in ISE:
-
Configure the client side. For more information, see the client user documentation.
-
Activate Passive ID and pxGrid services. For more information, see Initial Setup and Configuration.
-
Ensure you have properly configured the DNS server, including configuring reverse lookup for the client machine from ISE. For more information about the DNS server configuration requirements for , see DNS Server
-
See Configure a Bridge to the ISE REST Service for Passive Identity Services.
Note
To configure the API Provider to work with a TS-Agent add the TS-Agent information when creating a bridge from ISE to that agent, and then consult with the TS-Agent documentation for information about sending API calls.
-
Generate an authentication token and send add and remove requests to the API service. .
Configure a Bridge to the ISE REST Service for Passive Identity Services
In order to enable the ISE REST API service to receive information from a specific client, you must first define the specific client from ISE. You can define multiple REST API clients with different IP addresses.
Before you begin
Before you begin:
-
Ensure you have activated Passive ID and pxGrid services. For more information, see Initial Setup and Configuration.
-
Ensure you have properly configured the DNS server, including configuring reverse lookup for the client machine from ISE. For more information about the DNS server configuration requirements for ISE, see DNS Server
Procedure
Step 1 |
Choose API Providers from the left panel to view all currently configured clients, to edit and delete existing clients, and to configure new clients. and then chooseThe API
Providers table is displayed, including status information for each existing
client.
|
Step 2 |
To add a new client, click Add from the top of the table. To edit or change an existing client, checkmark the client from the table and click Edit from the top of the table. |
Step 3 |
Complete all mandatory fields in order to configure the client correctly. For more information, see API Provider Settings. |
Step 4 |
Click Submit. The
client configuration is saved and the screen displays the updated API Providers
table. The client can now send posts to the
ISE REST service.
|
What to do next
Send API Calls to the Passive ID REST Service
Procedure
Step 1 |
Enter the Cisco ISE URL in the address bar of your browser (for example, https://<ise hostname or ip address>/admin/) |
Step 2 |
Enter the username and password that you specified and configured from the API Providers screen in the .ISE GUI. For more information, see Configure a Bridge to the ISE REST Service for Passive Identity Services. |
Step 3 |
Press Enter. |
Step 4 |
Enter the API call in the URL Address field of the target node as follows: |
Step 5 |
Click Send to issue the API call. |
What to do next
API Provider Settings
Choose
to configure a new REST API client for s.Note |
The full API definition and object schemas can be retrieved with a request call as follows:
|
Field | Description |
---|---|
Name |
Enter a unique name for this client that distinguishes it quickly and easily from other clients. |
Description |
Enter a clear description of this client. |
Status |
Select Enabled to enable the client to interact with the REST services immediately upon completing configuration. |
Host/ IP |
Enter the IP address for the client host machine. Ensure you have properly configured the DNS server, including configuring reverse lookup for the client machine from ISE. |
User name |
Create a unique user name to be used when posting to the REST service. |
Password |
Create a unique password to be used when posting to the REST service. |
API Calls
Use these API calls to manage user identity events for Passive Identity services with Cisco ISE.
Purpose: Generate Authentication Token
-
Request
POST
https://<PIC IP address>:9094/api/fmi_platform/v1/identityauth/generatetoken
The request should contain the BasicAuth authorization header—provide the API provider's credentials as previously created from the ISE-PIC GUI. For more information see API Provider Settings.
-
Response Header
The header includes the X-auth-access-token. This is the token to be used when posting additional REST requests.
-
Response Body
HTTP 204 No Content
Purpose: Add User
-
Request
POST
https://<PIC IP address>:9094/api/identity/v1/identity/useridentity
Add X-auth-access-token in the header of the POST request. ( For example, Header: X-auth-access-token, Value: f3f25d81-3ac5-43ee-bbfb-20955643f6a7)
-
Response Header
201 Created
-
Response Body
{
"user": "<username>",
"srcPatRange": {
"userPatStart": <user PAT start value>,
"userPatEnd": <user PAT end value>,
"patRangeStart": <PAT range start value>
},
"srcIpAddress": "<src IP address>",
"agentInfo": "<Agent name>",
"timestamp": "<ISO_8601 format i.e. “YYYY-MM-DDTHH:MM:SSZ" >",
"domain": "<domain>"
}
-
Notes
-
srcPatRange can be removed in above json to create a single IP user binding.
-
Response body contains the "ID" which is the unique identifier for the user session binding created. Use this ID when sending a DELETE request to indicate which user should be removed.
-
This reponse also contains the self link which is the URL for this newly created user session binding.
-
Purpose: Remove User
-
Request
DELETE
https://<PIC IP address>:9094/api/identity/v1/identity/useridentity/<id>
In <id> enter the ID as was received from the Add response.
Add the X-auth-access-token in the header of the DELETE request. (For example, Header: X-auth-access-token, Value: f3f25d81-3ac5-43ee-bbfb-20955643f6a7)
-
Response Header
200 OK
-
Response Body
Response body contains the details about the user session binding which got deleted.
SPAN
SPAN is a Passive Identity service that allows you to quickly and easily enable ISE to listen to the network and retrieve user information without having to configure Active Directory to work directly with ISE. SPAN sniffs network traffic, specifically examining Kerberos messages, extracts user identity information also stored by Active Directory and sends that information to ISE. ISE then parses the information, ultimately delivering user name, IP address and domain name to the subscribers that you have also already configured from ISE.
In order for SPAN to listen to the network and extract Active Directory user information, ISE and Active Directory must both be connected to the same switch on the network. In this way, SPAN can copy and mirror all user identity data from Active Directory.
With SPAN, user information is retrieved in the following way:
-
The user endpoint, on the network, logs in.
-
Log in and user data are stored in Kerberos messages.
-
Once the user logs in and the user data passes through the switch, SPAN mirrors the network data.
-
ISE listens to the network for user information and retrieves the mirrored data from the switch.
-
ISE parses the user information and updates passive ID mappings.
-
ISE delivers the parsed user information to the subscribers.
Working with SPAN
Before you begin
In order to enable ISE to receive SPAN traffic from a network switch, you must first define which nodes and node interfaces are to listen to the switch. You can configure SPAN in order to listen to the different installed ISE nodes. For each node, only one interface can be configured to listen to the network and the interface used to listen must be dedicated to SPAN only.
Before you begin, ensure you have activated Passive ID and pxGrid services. Only nodes for which Passive ID has been turned on will appear in the list of available interfaces for configuring SPAN. For more information, see Initial Setup and Configuration.
In addition, you must:
-
Ensure Active Directory is configured on your network.
-
Run a CLI on the switch in the network that is also connected to Active Directory in order to ensure the switch can communicate with ISE.
-
Configure the switch to mirror the network from AD.
-
Configure a dedicated ISE network interface card (NIC) for SPAN. This NIC is used only for SPAN traffic.
-
Ensure the NIC that you have dedicated to SPAN is activated via the command line interface.
-
Create a VACL that sends only Kerberos traffic into the SPAN port.
Procedure
Step 1 |
Choose SPAN from the left panel to configure SPAN. and then choose |
||
Step 2 |
Enter a meaningful description (optional), select status Enabled, and choose the nodes and the relevant NICs that will be used to listen to the network switch. For more information, see SPAN Settings.
|
||
Step 3 |
Click Save. The SPAN
configuration is saved and
ISE-PIC
ISE is now actively listening to network traffic.
|
SPAN Settings
From each node that you have deployed, quickly and easily configure ISE to receive user identities by installing SPAN on a client network.
Field | Description | ||
---|---|---|---|
Description |
Enter a unique description to remind you of which nodes and interfaces are currently enabled. |
||
Status |
Select Enabled to enable the client immediately upon completing configuration. |
||
Interface NIC |
Select one or more of the nodes installed for ISE, and then for each selected node, choose the node interface that is to listen to the network for information.
|
Syslog Providers
With the Syslog feature, the Passive Identity service parses syslog messages from any client (identity data provider) that delivers syslog messages, including regular syslog messages (from providers such as InfoBlox, Blue Coat, BlueCat, and Lucent) as well as DHCP syslog messages, and sends back user identity information, including MAC addresses. This mapped user identity data is then delivered to subscribers.
The Passive Identity service utilizes syslog messages received from a variety of providers once the administrator activates Passive ID and pxGrid services and configures the syslog client from the GUI. When configuring the provider, the administrator indicates the connection method (TCP or UDP) and the syslog template to be used for parsing.
Note |
When TCP is the configured connection type, if there is a problem with the message header and the host name cannot be parsed, then ISE attempts to match the IP address received in the packet to the IP address of any of the providers in the list of providers that have already been configured for Syslog messages in ISE. To view this list, choose . It is recommended that you check the message headers and customize if necessary in order to guarantee parsing succeeds. For more information about customizing headers, see Customize Syslog Headers. |
Once configured, the syslog probe sends syslog messages that are received to the ISE parser, which maps the user identity information, and publishes that information to ISE. ISE then delivers the parsed and mapped user identity information to the Passive Identity service subscribers.
Note |
DHCP syslog messages do not contain user names. Therefore, these messages are delivered from the parser with a delay so that ISE can first check users registered in the local session directory (displayed from Live Sessionss) and attempt to match those users by their IP addresses to the IP addresses listed in the DHCP syslog messages received, in order to correctly parse and deliver user identity information. If the data received from a DHCP syslog message cannot be matched to any of the currently logged in users, then the message is not parsed and user identity is not delivered. |
In order to parse syslog messages for user identity from ISE:
-
Configure syslog clients from which to receive user identity data—Configure Syslog Clients
-
Customize a single message header—Customize Syslog Headers
-
Customize message bodies by creating templates—Customize the Syslog Message Body.
-
Use the message templates pre-defined in ISE when configuring your syslog client as the message template used for parsing, or base your customized header or body templates on these pre-defined templates—Work with Syslog Pre-Defined Message Templates.
Configure Syslog Clients
In order to enable ISE to listen to syslog messages from a specific client, you must first define the specific client from ISE. You can define multiple providers with different IP addresses.
Before you begin
Before you begin, ensure you have activated Passive ID and pxGrid services. For more information, see Initial Setup and Configuration.
Procedure
Step 1 |
Choose Syslog Providers from the left panel to view all currently configured clients, to edit and delete existing clients, and to configure new clients. and then chooseThe
Syslog Providers table is displayed, including status information for each
existing client.
|
Step 2 |
To configure a new syslog client, click Add from the top of the table. To edit or change a previously configured client, checkmark the client from the table and click Edit from the top of the table. |
Step 3 |
Complete all mandatory fields (see Syslog Settings for more details) and create a message template if necessary (see Customize the Syslog Message Body for more details) in order to configure the client correctly. |
Step 4 |
Click Submit. The
client configuration is saved and the screen displays the updated Syslog
Providers table.
|
Syslog Settings
Configure ISE to receive user identities, including MAC addresses, by way of syslog messages from a specific client. You can define multiple providers with different IP addresses.
Choose Syslog Providers and from the table click Add to create a new syslog client.
, from the left panel chooseField | Description |
---|---|
Name |
Enter a unique name that distinguishes this configured client quickly and easily. |
Description |
A meaningful description of this Syslog provider. |
Status |
Select Enabled to enable the client immediately upon completing configuration. |
Host |