11-30-2016 07:46 AM
Hi team,
In our environment, AD only hold all users accounts for authentication purpose. we dont have extra attributes such as "contractor" group, everyone in AD are same configure. we couldnt identify users.
All users attributes are on Sun ldap servers including Contractor or fulltime employee.
Can we use ISE to authenticate with AD ? And then use LDAP attributes for authorization ?
Thank you.
Solved! Go to Solution.
11-30-2016 07:50 AM
Yes
http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/admin_guide/b_ise_admin_guide_14/b_ise_admin_guide_14_chapter_01110.html#ID967
LDAP Group and Attribute Retrieval for Use in Authorization Policies
Cisco ISE can authenticate a subject (user or host) against an LDAP identity source by performing a bind operation on the directory server to find and authenticate the subject. After successful authentication, Cisco ISE can retrieve groups and attributes that belong to the subject whenever they are required. You can configure the attributes to be retrieved in the Cisco ISE Admin portal by choosing Administration > Identity Management > External Identity Sources > LDAP. These groups and attributes can be used by Cisco ISE to authorize the subject.
To authenticate a user or query the LDAP identity source, Cisco ISE connects to the LDAP server and maintains a connection pool.
You should note the following restrictions on group memberships when Active Directory is configured as an LDAP store:
• Users or computers must be direct members of the group defined in the policy conditions to match the policy rule.
• The defined group may not be a user’s or computer’s primary group. This restriction is applicable only when Active Directory is configured as an LDAP store.
• LDAP Group Membership Information Retrieval
• LDAP Attributes Retrieval
LDAP Certificate Retrieval
11-30-2016 07:50 AM
Yes
http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/admin_guide/b_ise_admin_guide_14/b_ise_admin_guide_14_chapter_01110.html#ID967
LDAP Group and Attribute Retrieval for Use in Authorization Policies
Cisco ISE can authenticate a subject (user or host) against an LDAP identity source by performing a bind operation on the directory server to find and authenticate the subject. After successful authentication, Cisco ISE can retrieve groups and attributes that belong to the subject whenever they are required. You can configure the attributes to be retrieved in the Cisco ISE Admin portal by choosing Administration > Identity Management > External Identity Sources > LDAP. These groups and attributes can be used by Cisco ISE to authorize the subject.
To authenticate a user or query the LDAP identity source, Cisco ISE connects to the LDAP server and maintains a connection pool.
You should note the following restrictions on group memberships when Active Directory is configured as an LDAP store:
• Users or computers must be direct members of the group defined in the policy conditions to match the policy rule.
• The defined group may not be a user’s or computer’s primary group. This restriction is applicable only when Active Directory is configured as an LDAP store.
• LDAP Group Membership Information Retrieval
• LDAP Attributes Retrieval
LDAP Certificate Retrieval
11-30-2016 08:02 AM
Hi Jason,
in the doc mentioned:
"Cisco ISE can authenticate a subject (user or host) against an LDAP identity source by performing a bind operation on the directory server to find and authenticate the subject. "
Right now I can only use AD for authentication, AD is not used as LDAP, we have a separate Enterprise directory LDAP server to maintain all attributes.
Can we use this LDAP attributes for authorization ?
thank you .
11-30-2016 07:59 AM
Hi,
Yes, so long has you make the attributes available for use in Authorization policy.
Regards,
-Tim
11-30-2016 08:04 AM
I think I have to try. I cannot put LDAP server into authentication policy. I only can put AD there, and try to use LDAP attributes for authorization.
hope it will work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide