Solved: ISE AD administration based on User

bret · ‎02-18-2014

I have a new ISE box and want to use AD for management. I have ISE successfully connected to AD and can authenticate to the management interface using AD. My next step is to filter specific users from the AD group for authentication. Is this possible? If so, any help or documents would be greatly appreciated.

Thanks in advance.

Bret

George Stefanick · ‎02-18-2014

Yes, you can use specific AD groups and apply ISE poilcy.

Configuring Active Directory Groups

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059262

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

jj27 · ‎02-18-2014

I would recommend creating a new active directory group called "ISE Admins" or something and assigning that group to the ISE Admin group inside of ISE you created based on step 4 in my instructions above.

View solution in original post

George Stefanick · ‎02-18-2014

Yes, you can use specific AD groups and apply ISE poilcy.

Configuring Active Directory Groups

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059262

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

jj27 · ‎02-18-2014

Go to Administration -> Admin Access
Click on Authentication and change the identity source to your AD server. Don't worry, the internal logins will still work and appear in a drop down should the AD server become unavailable.
Expand Administrators then expand Admin Groups
Create a new Admin Group and check the box for External
Point to the External Group of the AD group you want to be able to administer ISE.
Expand Authorization in the same menu.
Click on Policy
Create a new rule and point it to the Admin Group you created and assign the appropriate role permissions.

You're done!

bret · ‎02-18-2014

Thank you both for a quick response. I have ISE joined to AD and can authenticate without any problem. Since the AD group I am using has several users I need to filter specific users out for ISE management. I am very new to ISE and from what I have read and what you mention George I need to create a policy filtering out the users. Is that correct?

jj27 · ‎02-18-2014

I would recommend creating a new active directory group called "ISE Admins" or something and assigning that group to the ISE Admin group inside of ISE you created based on step 4 in my instructions above.

bret · ‎02-19-2014

Allthough ISE can do the policy, for someone new to ISE I found it a little challenging, so I used an AD group. Thank you both for the quick response.