Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1106
Views
5
Helpful
4
Replies

Is Authentication with AD but Authorization using LDAP attributes possible??

Go to solution
csco11552159
Level 5
Level 5

‎11-30-2016 07:46 AM

Hi team,

In our environment, AD only hold all users accounts for authentication purpose. we dont have extra attributes such as "contractor" group, everyone in AD are same configure. we couldnt identify users.

All users attributes are on Sun ldap servers including Contractor or fulltime employee.

Can we use ISE to authenticate with AD ?  And then use LDAP attributes for authorization ?

Thank you.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎11-30-2016 07:50 AM

Yes

http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/admin_guide/b_ise_admin_guide_14/b_ise_admin_guide_14_chapter_01110.html#ID967

LDAP Group and Attribute Retrieval for Use in Authorization Policies

Cisco ISE can authenticate a subject (user or host) against an LDAP identity source by performing a bind operation on the directory server to find and authenticate the subject. After successful authentication, Cisco ISE can retrieve groups and attributes that belong to the subject whenever they are required. You can configure the attributes to be retrieved in the Cisco ISE Admin portal by choosing Administration > Identity Management > External Identity Sources > LDAP. These groups and attributes can be used by Cisco ISE to authorize the subject.

To authenticate a user or query the LDAP identity source, Cisco ISE connects to the LDAP server and maintains a connection pool.

You should note the following restrictions on group memberships when Active Directory is configured as an LDAP store:

• Users or computers must be direct members of the group defined in the policy conditions to match the policy rule.

• The defined group may not be a user’s or computer’s primary group. This restriction is applicable only when Active Directory is configured as an LDAP store.

• LDAP Group Membership Information Retrieval

• LDAP Attributes Retrieval

LDAP Certificate Retrieval

View solution in original post

4 Replies 4

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎11-30-2016 07:50 AM

Yes

http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/admin_guide/b_ise_admin_guide_14/b_ise_admin_guide_14_chapter_01110.html#ID967

LDAP Group and Attribute Retrieval for Use in Authorization Policies

Cisco ISE can authenticate a subject (user or host) against an LDAP identity source by performing a bind operation on the directory server to find and authenticate the subject. After successful authentication, Cisco ISE can retrieve groups and attributes that belong to the subject whenever they are required. You can configure the attributes to be retrieved in the Cisco ISE Admin portal by choosing Administration > Identity Management > External Identity Sources > LDAP. These groups and attributes can be used by Cisco ISE to authorize the subject.

To authenticate a user or query the LDAP identity source, Cisco ISE connects to the LDAP server and maintains a connection pool.

You should note the following restrictions on group memberships when Active Directory is configured as an LDAP store:

• Users or computers must be direct members of the group defined in the policy conditions to match the policy rule.

• The defined group may not be a user’s or computer’s primary group. This restriction is applicable only when Active Directory is configured as an LDAP store.

• LDAP Group Membership Information Retrieval

• LDAP Attributes Retrieval

LDAP Certificate Retrieval

Go to solution
csco11552159
Level 5
Level 5
In response to Jason Kunst

‎11-30-2016 08:02 AM

Hi Jason,

in the doc mentioned:

"Cisco ISE can authenticate a subject (user or host) against an LDAP identity source by performing a bind operation on the directory server to find and authenticate the subject. "


Right now I can only use AD for authentication, AD is not used as LDAP, we have a separate Enterprise directory LDAP server to maintain all attributes.

Can we use this LDAP attributes for authorization ?


thank you .

0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎11-30-2016 07:59 AM

Hi,

Yes, so long has you make the attributes available for use in Authorization policy.

Regards,

-Tim

0 Helpful

Go to solution
csco11552159
Level 5
Level 5
In response to Timothy Abbott

‎11-30-2016 08:04 AM

I think I have to try. I cannot put LDAP server into authentication policy. I only can put AD there, and try to use LDAP attributes for authorization.

hope it will work.

0 Helpful
Customers Also Viewed These Support Documents