cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1124
Views
5
Helpful
3
Replies

Integrate ISE with MS Active Directory for logins Authentication

s.kanth
Beginner
Beginner

Hi All,

 

Cisco ISE (2.4 ) is integrated with Microsoft AD. I would like to restrict ISE logins with AD logins like

 

These groups can be created in AD.

Groug1 - Full access

Group2 - RO Access

Grout3 - Sponsor Access

 

I just want make some account to access ISE login. I research on this requirement but could not find relevant documents. Please help!

 

Thanks

Sri

 

2 Accepted Solutions

Accepted Solutions

Angel_Inglese
Beginner
Beginner

Hi!

 

That's quite simple but you have to have everything tuned inside ISE, the guide for this is https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0101.html#ID269 and you can see that you can assign access based on a specific role, but for a summary you should:

 

1. Inside Administration > System > Admin Access > Authentication you should change the password based method:

 

 

ad ise.png

 

2. Then, inside Administration > System > Admin Access > Administrators > Admin Groups then add a new group:

ad ise 2.png

 

 

3. And last, you create a Policy inside Administration > System > Admin Access > Permissions > Policy for each group:

ad ise 3.png

 

4. Optional, if you want to use a different Permission options that you might need, please consider going to Administration > System > Admin Access > Permissions > Menu Access / Data Access to control your permissions list.

 

In the field you should find that the Cisco ISE 2.4 enables the option to choose wheather to connect via internal users or Active Directory option in the login page:

ad ise 4.png

 

 

Hope it helps,

 

**please, consider rating helpful or as a solution, thank you**

 

 

View solution in original post

hslai
Cisco Employee
Cisco Employee

Angel gave a good start, but no need to create new admin groups.

First of all, add the three groups from AD.

Screen Shot 2018-10-21 at 4.06.26 AM.png

 

For "full" ISE admin web access, after selecting AD as the ID source, go to "Super Admin" group, check the option "External" and put "Group1" as the External Group.

Screen Shot 2018-10-21 at 4.01.41 AM.png

For RO ISE admin web access, go to "Read Only Admin", check the option "External" and put "Group2" as the External Group.

Screen Shot 2018-10-21 at 4.02.11 AM.png

For Sponsor access, go to the Sponsor Groups, select the desired access, and pick members from the list of available groups.

Screen Shot 2018-10-21 at 4.03.06 AM.png

View solution in original post

3 Replies 3

Angel_Inglese
Beginner
Beginner

Hi!

 

That's quite simple but you have to have everything tuned inside ISE, the guide for this is https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0101.html#ID269 and you can see that you can assign access based on a specific role, but for a summary you should:

 

1. Inside Administration > System > Admin Access > Authentication you should change the password based method:

 

 

ad ise.png

 

2. Then, inside Administration > System > Admin Access > Administrators > Admin Groups then add a new group:

ad ise 2.png

 

 

3. And last, you create a Policy inside Administration > System > Admin Access > Permissions > Policy for each group:

ad ise 3.png

 

4. Optional, if you want to use a different Permission options that you might need, please consider going to Administration > System > Admin Access > Permissions > Menu Access / Data Access to control your permissions list.

 

In the field you should find that the Cisco ISE 2.4 enables the option to choose wheather to connect via internal users or Active Directory option in the login page:

ad ise 4.png

 

 

Hope it helps,

 

**please, consider rating helpful or as a solution, thank you**

 

 

 

This is the trick, that I forgot. Once It is enabled, I managed to complete rest easily. Thank you again!!!


@Angel_Inglese wrote:

Hi!

 

That's quite simple but you have to have everything tuned inside ISE, the guide for this is https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0101.html#ID269 and you can see that you can assign access based on a specific role, but for a summary you should:

 

1. Inside Administration > System > Admin Access > Authentication you should change the password based method:

 

 

ad ise.png

 

2. Then, inside Administration > System > Admin Access > Administrators > Admin Groups then add a new group:

ad ise 2.png

 

 

3. And last, you create a Policy inside Administration > System > Admin Access > Permissions > Policy for each group:

ad ise 3.png

 

4. Optional, if you want to use a different Permission options that you might need, please consider going to Administration > System > Admin Access > Permissions > Menu Access / Data Access to control your permissions list.

 

In the field you should find that the Cisco ISE 2.4 enables the option to choose wheather to connect via internal users or Active Directory option in the login page:

ad ise 4.png

 

 

Hope it helps,

 

**please, consider rating helpful or as a solution, thank you**

 

 


 Inside Administration > System > Admin Access > Authentication you should change the password based method:

hslai
Cisco Employee
Cisco Employee

Angel gave a good start, but no need to create new admin groups.

First of all, add the three groups from AD.

Screen Shot 2018-10-21 at 4.06.26 AM.png

 

For "full" ISE admin web access, after selecting AD as the ID source, go to "Super Admin" group, check the option "External" and put "Group1" as the External Group.

Screen Shot 2018-10-21 at 4.01.41 AM.png

For RO ISE admin web access, go to "Read Only Admin", check the option "External" and put "Group2" as the External Group.

Screen Shot 2018-10-21 at 4.02.11 AM.png

For Sponsor access, go to the Sponsor Groups, select the desired access, and pick members from the list of available groups.

Screen Shot 2018-10-21 at 4.03.06 AM.png

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers