Accepted Solutions
I tried finding examples of this authentication using Google and Bing searches but I didn't really find any and I am surprised that my goal/need seems to be so rare.
I found this though: ISE and LDAP Attributes Based Authentication - Cisco. This gave me an idea to test the Custom schema. Unbelievable but this helped!
So ISE Active Directory schema does not work properly, or? Of course I assumed that this is so standard and old stuff that it's just a formality there and can be chosen only to offer integration with other types of LDAP servers than just MS AD. But it's not like that.
I configured the custom schema like this:
I'm not sure if this is the ideal configuration but it works. For example, the subject and group objectclasses may be something else, maybe "top" as I see from the AD-objects' attributes, but nevermind.
Now Attributes tab. It turned out this place is meant to describe the building blocks to build the Authorisation policy. I pasted my admin test user's distinguishedName (CN=testuser,CN=...,OU=...,...,DC=contoso,DC=com) into "Example Subject" and pressed Retrieve Attributes. From the retrieved list I chose two rows: sAMAccountName and memberOf -- just because the first is the user name I want to use to log in to switches and the second one is to check the group membership. Back in the General tab, I chose the first of the two options "Subject Objects Contain..." because memberOf was shown in this retrieved list of attributes. And lastly, because the value of memberOf attribute was in the form of distinguishedName of the group I am authenticating against (CN=testgroup,OU=...,...,DC=contoso,DC=com), I chose that in the drop down list of "Subjects In Groups Are..." (if it wasn't like that by default already). I cleared what I had done in Groups tab earlier.
(Just a note to those who haven't done too much with AD. When using "Active Directory Users and Computers" in MMC and having this opened, choose View>Advanced Features to see more tabs when opening a user or group object. This gives the Attribute Editor tab from where it is very simple to copy and paste both attributes and values to ISE. Also, having the Attribute Editor opened, choose Filter (button)>Show only attributes that have values.)
And now the policy.
1. The main condition. I checked the Device type what I want (as I defined my test switch), then the Network Access>Protocol equals TACACS+ and lastly Network Condition>Allowed management networks (defined earlier) equals true.
2. Authentication policy. I left the Default only and used a custom order of authentication in Use column: first LDAP, then ISE (that is, Internal users from the ISE point of view). Options left as default.
3. Authorization policy. I want my order be 1. LDAP, 2. ISE. So I added two new lines with their conditions and I leftthe third Default as denying all commands.
3.1 The first line was puzzling: how to put there the simple "user is member of this AD-group"? That's where this memberOf attribute was helping, that is, it is in the list now to choose in the editor. It works like this: EIS_LDAPS·memberOf CONTAINS CN=testgroup,OU=...,...,DC=contoso,DC=com (this value can be pasted there as text). And the actions in the Results>Command Sets and Shell Profiles: my own defined allow all commands and attributes for the login (eg having the privilege level and session timeout set).
3.2 The second line is for ISE internal users. This was easier: IdentityGroup·Name EQUALS User Identity Group:<an ISE group with a test user inside, configured earlier>.
This way I got my authentication working against AD with LDAPS with ISE as the second option but I will most certainly tweak or improve the details in the upcoming days.
Maybe the best practice of these details in ISE is a bit different but I'm doing it first time so I can make it better later.
A warning too: negative testing (that other AD-users can't log in) is important in these AD-related authentications and not only in this case with ISE. For example, when using Continue in the options in the Authentication policy, any AD-user could log in (of course, provided they happen to have network level access to the switch management IP-address). I only tested this Continue to try to get the order of authenticating servers working this way: if the user is not present in the AD, then use ISE internal users. But as I suspected and as it was already described in this post, I had to use my own Identity Source Sequence for that: Solved: Re: ISE device authentication local and AD in one policy - Cisco Community. I have already seen this in the past with another device that when setting up AD authentication for device administration, I got it working (good!) and only after a couple of weeks or months I had a hunch and when testing a user that was not in the AD group meant for administration, that one also authenticated successfully (bad!).
I wrote all this down here so perhaps this could be useful to somebody else too.
Thank you who responded! I will ask other questions that are not related to the initial question in other posts.
I tried finding examples of this authentication using Google and Bing searches but I didn't really find any and I am surprised that my goal/need seems to be so rare.
I found this though: ISE and LDAP Attributes Based Authentication - Cisco. This gave me an idea to test the Custom schema. Unbelievable but this helped!
So ISE Active Directory schema does not work properly, or? Of course I assumed that this is so standard and old stuff that it's just a formality there and can be chosen only to offer integration with other types of LDAP servers than just MS AD. But it's not like that.
I configured the custom schema like this:
I'm not sure if this is the ideal configuration but it works. For example, the subject and group objectclasses may be something else, maybe "top" as I see from the AD-objects' attributes, but nevermind.
Now Attributes tab. It turned out this place is meant to describe the building blocks to build the Authorisation policy. I pasted my admin test user's distinguishedName (CN=testuser,CN=...,OU=...,...,DC=contoso,DC=com) into "Example Subject" and pressed Retrieve Attributes. From the retrieved list I chose two rows: sAMAccountName and memberOf -- just because the first is the user name I want to use to log in to switches and the second one is to check the group membership. Back in the General tab, I chose the first of the two options "Subject Objects Contain..." because memberOf was shown in this retrieved list of attributes. And lastly, because the value of memberOf attribute was in the form of distinguishedName of the group I am authenticating against (CN=testgroup,OU=...,...,DC=contoso,DC=com), I chose that in the drop down list of "Subjects In Groups Are..." (if it wasn't like that by default already). I cleared what I had done in Groups tab earlier.
(Just a note to those who haven't done too much with AD. When using "Active Directory Users and Computers" in MMC and having this opened, choose View>Advanced Features to see more tabs when opening a user or group object. This gives the Attribute Editor tab from where it is very simple to copy and paste both attributes and values to ISE. Also, having the Attribute Editor opened, choose Filter (button)>Show only attributes that have values.)
And now the policy.
1. The main condition. I checked the Device type what I want (as I defined my test switch), then the Network Access>Protocol equals TACACS+ and lastly Network Condition>Allowed management networks (defined earlier) equals true.
2. Authentication policy. I left the Default only and used a custom order of authentication in Use column: first LDAP, then ISE (that is, Internal users from the ISE point of view). Options left as default.
3. Authorization policy. I want my order be 1. LDAP, 2. ISE. So I added two new lines with their conditions and I leftthe third Default as denying all commands.
3.1 The first line was puzzling: how to put there the simple "user is member of this AD-group"? That's where this memberOf attribute was helping, that is, it is in the list now to choose in the editor. It works like this: EIS_LDAPS·memberOf CONTAINS CN=testgroup,OU=...,...,DC=contoso,DC=com (this value can be pasted there as text). And the actions in the Results>Command Sets and Shell Profiles: my own defined allow all commands and attributes for the login (eg having the privilege level and session timeout set).
3.2 The second line is for ISE internal users. This was easier: IdentityGroup·Name EQUALS User Identity Group:<an ISE group with a test user inside, configured earlier>.
This way I got my authentication working against AD with LDAPS with ISE as the second option but I will most certainly tweak or improve the details in the upcoming days.
Maybe the best practice of these details in ISE is a bit different but I'm doing it first time so I can make it better later.
A warning too: negative testing (that other AD-users can't log in) is important in these AD-related authentications and not only in this case with ISE. For example, when using Continue in the options in the Authentication policy, any AD-user could log in (of course, provided they happen to have network level access to the switch management IP-address). I only tested this Continue to try to get the order of authenticating servers working this way: if the user is not present in the AD, then use ISE internal users. But as I suspected and as it was already described in this post, I had to use my own Identity Source Sequence for that: Solved: Re: ISE device authentication local and AD in one policy - Cisco Community. I have already seen this in the past with another device that when setting up AD authentication for device administration, I got it working (good!) and only after a couple of weeks or months I had a hunch and when testing a user that was not in the AD group meant for administration, that one also authenticated successfully (bad!).
I wrote all this down here so perhaps this could be useful to somebody else too.
Thank you who responded! I will ask other questions that are not related to the initial question in other posts.
