2013/11/08

Cisco ISE - part 2 - Integrating ISE with Microsoft AD

As I already mentioned Cisco ISE is product that is mainly used to control user's network access. Many organizations controls theirs users/computers through Microsoft Active Directory. That is why it can be very handy to integrate Cisco ISE with Microsoft AD. With the integration you will be able to still control users/computers on AD, but you can create network access policy on your Cisco ISE server, based on AD groups/users. 

Integration is actually pretty straightforward. There are some prerequisites, which can be found in Cisco docs

Before you start integration of Cisco ISE and MS AD you have to make sure, that time on both servers are synchronized. Of course the best way to do it is to use NTP. To join Cisco ISE to the domain, you have to create user on the AD. The best way is to create separate user with only needed privileges, which again could be found on Cisco docs.

When user with right privileges is created you can join AD to the domain. To do this you go to Administration -> Identity Management -> External Identity Sources -> Active Directory. 

First you need to go to Connection tab. You should enter your organization domain name and identity store name, which can be any chosen name. Now you click save configuration. Now you are ready to join Cisco ISE to the domain. You can click test connection, to test connection to your AD. This is of course optional steps, but could be very helpful for troubleshooting. To join Cisco ISE to the domain, simply click Join button, enter username/password and if everything is ok your Cisco ISE will join the domain. Now you can retrieve groups from AD. To do this simply click button groups and your can get the list of all groups in AD. Since output is limited to 100 groups you can filter this list to get groups you want.




That is it. As you can see it is pretty straightforward process.


No comments:

Post a Comment