The ISE was not designed to be an internal identity store or a device where all authentication credentials can be stored. It is a policy decision engine which amongst other features can support internal credential storage.
However, if you already have an external device wherein the authentication credentials of your organization are already stored in the form of a directory server like Active Directory, Novell’s eDirectory, Red Hat Directory Server, Open Directory, OpenLDAP then you could integrate the above mentioned servers with the Cisco ISE.
So let us take a sample use case and develop a topology based on it.
Q1. Integrate the Cisco ISE with Active Directory identified as an external identity store using an administrative account created on the AD.
Q2. Define two groups of users on the AD being that of “L2Admin” and an “L3 Admin” and import them into the ISE. Define a user Mark that belongs to the “L2Admin” group and a user James that belongs to the “L3Admin” group.
Q3. Ensure that whenever a user from the L2Admin group logs into the ISE, he is assigned a privilege level of 10 and whenever a user from the L3Admin group logs in, he is dynamically granted a privilege level of 15.
The following devices and software versions were utilized for this topology setup:-
- Cisco ISE 1.1.2
- Cisco 3825 Router IOS 12.4(24)T8
- A Netgear hub to connect the ISE,AD and the Router
- Microsoft Windows Active Directory 2008 R2 Enterprise Server
Step 1: Initialize Windows Active Directory role onto the Windows Server 2008 by selecting the Add Role option on the Windows in the Initial Configuration Wizard. An installation walkthrough of Active Directory can be found at http://www.rebeladmin.com/2011/03/step-by-step-guide-to-setup-active-directory-windows-server-2008/
Note: – Define the FQDN of the AD during installation as NH.com
Step 2: Create a group L2Admin and associate a user Mark to it and create a group of L3 Admin and assign a user James to it. An Administrator account(created by default in AD) will be used by the ISE to join the domain and edit and modify/import users/groups in the Active Directory.
After the above installation, go to Run–>dsa.msc–>NH.com–>Users–>Right Click in the User Area–>New–>Group
Uncheck the User must change password at next logon field. Define James using the same approach.
Double Click the L2Admin group and select the Members tab, choose the Add option and select Mark as follows:-
This will bind Mark to the L2Admin group. The same needs to be replicated for James to be associated to the L3Admin group.
The ISE ought to be reachable to the Active Directory in order that the Cisco ISE can join the AD domain of NH.com and be reachable so ensure the following is successful:-
Step 3:- Let us now make the ISE join the domain of NH.com defined on the AD server.
Ensure that on the ISE, the DNS server is set to point to the AD IP address (10.10.10.110) as he would resolve the AD domain name via this IP address by giving the ip name-server command as illustrated hereunder:-
Remember this will restart all the processes on the ISE leading to approximately 10 minutes of network downtime. Confirm the successful restart of all the processes by execution of the following:-
Select Administration–>External Identity Stores–>Active Directory
Save the above configuration and select the option of Test Connection–>Detailed Test to confirm reachability to the domain controller and other synchronization pre-requisites.
Select the Join option and a Join Operation Status dialog will be launched
Step 4: Import the groups of L2Admin and L3Admin defined on the AD into the ISE.
Save the above configuration on the ISE.
Step 5: Define an Authentication Policy on the ISE such that every user remotely logging into a device will be authenticated against the ISE-AD defined in Step 3. When a user remotely logs into a Radius client, the Radius client sends an AVP (Attribute-Value Pair) by the name of Service-Type indicative of the type of authentication service being performed.
As per the Radius RFC 2865 based on which the ISE was designed, whenever a user logs into a RADIUS client , the RADIUS client sends the AVP #6 Service-Type attribute with a value of Login and using this parameter we will define a policy to identify remote device administrators as follows:-
Select Policy–>Authentication–>Actions –>Insert New Rule Above