cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
732
Views
5
Helpful
5
Replies

ISE AD administration based on User

bret
Level 3
Level 3

I have a new ISE box and want to use AD for management. I have ISE successfully connected to AD and can authenticate to the management interface using AD. My next step is to filter specific users from the AD group for authentication. Is this possible? If so, any help or documents would be greatly appreciated.

Thanks in advance.

Bret

2 Accepted Solutions

Accepted Solutions

George Stefanick
VIP Alumni
VIP Alumni

Yes, you can use specific AD groups and apply ISE poilcy.

Configuring Active Directory Groups

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059262

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

I would recommend creating a new active directory group called "ISE Admins" or something and assigning that group to the ISE Admin group inside of ISE you created based on step 4 in my instructions above.

View solution in original post

5 Replies 5

George Stefanick
VIP Alumni
VIP Alumni

Yes, you can use specific AD groups and apply ISE poilcy.

Configuring Active Directory Groups

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059262

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

jj27
Spotlight
Spotlight
  1. Go to Administration -> Admin Access
  2. Click on Authentication and change the identity source to your AD server. Don't worry, the internal logins will still work and appear in a drop down should the AD server become unavailable.
  3. Expand Administrators then expand Admin Groups
  4. Create a new Admin Group and check the box for External
  5. Point to the External Group of the AD group you want to be able to administer ISE.
  6. Expand Authorization in the same menu.
  7. Click on Policy
  8. Create a new rule and point it to the Admin Group you created and assign the appropriate role permissions.

You're done!

bret
Level 3
Level 3

Thank you both for a quick response. I have ISE joined to AD and can authenticate without any problem. Since the AD group I am using has several users I need to filter specific users out for ISE management. I am very new to ISE and from what I have read and what you mention George I need to create a policy filtering out the users. Is that correct?

I would recommend creating a new active directory group called "ISE Admins" or something and assigning that group to the ISE Admin group inside of ISE you created based on step 4 in my instructions above.

Allthough ISE can do the policy, for someone new to ISE I found it a little challenging, so I used an AD group. Thank you both for the quick response.