Solved: RBAC policies using AD users

dgaikwad · ‎04-28-2020

Hi Experts,
Planning to use RBAC with AD users for various level of access to ISE.
Does that mean ports for AD 389 and others are needed to be open between the PAN and AD? or all of the domain controllers?
Does the authentication first go through the PSN and then to PAN?

Is there a reference where it talks about the flow, when RBAC with AD users is used?

Mike.Cifelli · ‎04-28-2020

This should cover things more in-depth: https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/workflow/html/b_overview_2_7.html#concept_7642DD36C0DD424CA423615BF013D0B9

See here under (External Identity Sources and Resources (Outbound)) for ports reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Cisco_SNS_3400_Series_Appliance_Ports_Reference.html

The authentication is from the PAN when referencing admin access since the PAN runs the Administrators portal. You have the ability to tweak settings via the PAN to limit access/control based on IP as well. That should be covered in the top doc. HTH!

View solution in original post

Mike.Cifelli · ‎04-28-2020

This should cover things more in-depth: https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/workflow/html/b_overview_2_7.html#concept_7642DD36C0DD424CA423615BF013D0B9

See here under (External Identity Sources and Resources (Outbound)) for ports reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Cisco_SNS_3400_Series_Appliance_Ports_Reference.html

The authentication is from the PAN when referencing admin access since the PAN runs the Administrators portal. You have the ability to tweak settings via the PAN to limit access/control based on IP as well. That should be covered in the top doc. HTH!

dgaikwad · ‎04-28-2020

Thank you! That does really clear up the doubt about this configuration.