cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2574
Views
20
Helpful
5
Replies
Highlighted
Enthusiast

Cisco ISE's retrieval of user's group membership from Active directory.

Hello Experts, 

 

I am quite new to Active directory's integration with Cisco ISE. Have found a document which is quite educative, however still have some doubts. 

 

We are proposing a POC for a networking setup comprising of Cisco Wireless LAN Controller, ISE and Microsoft Active Directory. 

a) We have a requirement to map multiple user groups defined on AD with multiple authorization policies defined on ISE. 

b) The wireless users part of different user groups will associate through single WLAN SSID.

c)  Authentication of wireless users takes at AD, while the authorization at ISE.

Based on the AD attribute tokenGroups, ISE evaluates the user's group member ship and accordingly applies authorization profile mapped against the user's group.

d) Authorization profiles will have each unique user's group with different privileges: Internet access/ Internet and Exchange Server Access / Internet, Exchange Server and Complete Enterprise Servers Access....

 

Below is the concern:
The authentication protocol that we are proposing is EAP-PEAP (MSCHAPv2). However if we see the table 1 of Cisco doc, it appears "User Groups and attributes retrieval" can take place only for EAP-TLS/ EAP-FAST-TLS.
Could someone please share the inputs on the POC that we are planning have, its limitations, repercussions and recommendations?

Can user group retrieval from AD to ISE happen when EAP-PEAP (MSCHAPv2) is the authentication method in use?

 

Excerpts from the document:

1. Cisco ISE uses the AD attribute tokenGroups to evaluate a user’s group membership. Cisco ISE machine account must have permission to read tokenGroups attribute. 

2. You must configure Active Directory user groups for them to be available for use in authorization policies. Internally, Cisco ISE uses security identifiers (SIDs) to help resolve group name ambiguity issues and to enhance group mappings.SID provides accurate group assignment matching.

3. Authentication protocols supported by Active directory. 

 

Authentication protocols supported by Active Directory.PNG

Everyone's tags (5)
3 ACCEPTED SOLUTIONS

Accepted Solutions
Participant

Re: Cisco ISE's retrieval of user's group membership from Active directory.

Hi,

I wouldn't worry about that. Just configure your authentication/authorization rules to use the groups you've configured in AD.(after you've previsouly imported them into ISE - AD connector section groups/attributes)

 

Regarding this phrase -

c)  Authentication of wireless users takes at AD, while the authorization at ISE.

 

The authentication will be dealt also by ISE (as in an authentication request) but using AD as a backend authentication server.

 

Thanks,
Octavian

View solution in original post

Participant

Re: Cisco ISE's retrieval of user's group membership from Active directory.

Hi,

All your users have to belong to a specific group (HR, IT, etc).

Your SSID will have 802.1x configured for it. From ISE perspective, it's receiving 802.1x authentication requests from WLC/SSID_X.

 

Authentication policy:

Wireless_802.1x + SSID_X and

PEAP_MSCAPv2 - use Identity Source Seq LOCAL&AD

EAP_TLS - if issuer eq MyCA - use CA Source Seq

 

For the above its just an example showing you that for the same SSID you can actually use different eap authentication methods.

 

Authorization policy:

Wireless_8021x + SSID_X + (Internal ISE Group IT OR External AD Group IT) = IT_AUTHZ (that contains your specific/extra attributes)

 

Wireless_8021x + SSID_X + External AD Group HR = HR_AUTHZ (that contains your specific/extra attributes)

 

IT_AUTHZ = dACL name (it has to be configure on WLC) + extra attributes that you can push via radius vsa

 

BR,

Octavian

 

View solution in original post

Cisco Employee

Re: Cisco ISE's retrieval of user's group membership from Active directory.

. Answer is below:-

All your users have to belong to a specific group (HR, IT, etc).

Your SSID will have 802.1x configured for it. From ISE perspective, it's receiving 802.1x authentication requests from WLC/SSID_X.

Authentication policy:

Wireless_802.1x + SSID_X and

PEAP_MSCAPv2 - use Identity Source Seq LOCAL&AD

EAP_TLS - if issuer eq MyCA - use CA Source Seq

For the above its just an example showing you that for the same SSID you can actually use different eap authentication methods.

Authorization policy:

Wireless_8021x + SSID_X + (Internal ISE Group IT OR External AD Group IT) = IT_AUTHZ (that contains your specific/extra attributes)

Wireless_8021x + SSID_X + External AD Group HR = HR_AUTHZ (that contains your specific/extra attributes 

IT_AUTHZ = dACL name (it has to be configure on WLC) + extra attributes that you can push via radius vsa

View solution in original post

5 REPLIES 5
Participant

Re: Cisco ISE's retrieval of user's group membership from Active directory.

Hi,

I wouldn't worry about that. Just configure your authentication/authorization rules to use the groups you've configured in AD.(after you've previsouly imported them into ISE - AD connector section groups/attributes)

 

Regarding this phrase -

c)  Authentication of wireless users takes at AD, while the authorization at ISE.

 

The authentication will be dealt also by ISE (as in an authentication request) but using AD as a backend authentication server.

 

Thanks,
Octavian

View solution in original post

Enthusiast

Re: Cisco ISE's retrieval of user's group membership from Active directory.

Thanks Octavian for your valuable inputs.

 

I am struggling to comprehend the flow of how things would work in my scenario.

Scenario:

Single SSID mapped with Multiple User Groups. Each User group may have unique user database (ISE local database/ AD), unique QoS requirement, unique Network Access privileges.....

 

I am basically looking for the flowchart, starting from client attempting association on an SSID, getting authenticated with ISE/ AD database and most importantly the role assignment handling at ISE.

 

Participant

Re: Cisco ISE's retrieval of user's group membership from Active directory.

Hi,

All your users have to belong to a specific group (HR, IT, etc).

Your SSID will have 802.1x configured for it. From ISE perspective, it's receiving 802.1x authentication requests from WLC/SSID_X.

 

Authentication policy:

Wireless_802.1x + SSID_X and

PEAP_MSCAPv2 - use Identity Source Seq LOCAL&AD

EAP_TLS - if issuer eq MyCA - use CA Source Seq

 

For the above its just an example showing you that for the same SSID you can actually use different eap authentication methods.

 

Authorization policy:

Wireless_8021x + SSID_X + (Internal ISE Group IT OR External AD Group IT) = IT_AUTHZ (that contains your specific/extra attributes)

 

Wireless_8021x + SSID_X + External AD Group HR = HR_AUTHZ (that contains your specific/extra attributes)

 

IT_AUTHZ = dACL name (it has to be configure on WLC) + extra attributes that you can push via radius vsa

 

BR,

Octavian

 

View solution in original post

Enthusiast

Re: Cisco ISE's retrieval of user's group membership from Active directory.

Thank you Octavian Szolga for your precious time in responding to the query :)

Cisco Employee

Re: Cisco ISE's retrieval of user's group membership from Active directory.

. Answer is below:-

All your users have to belong to a specific group (HR, IT, etc).

Your SSID will have 802.1x configured for it. From ISE perspective, it's receiving 802.1x authentication requests from WLC/SSID_X.

Authentication policy:

Wireless_802.1x + SSID_X and

PEAP_MSCAPv2 - use Identity Source Seq LOCAL&AD

EAP_TLS - if issuer eq MyCA - use CA Source Seq

For the above its just an example showing you that for the same SSID you can actually use different eap authentication methods.

Authorization policy:

Wireless_8021x + SSID_X + (Internal ISE Group IT OR External AD Group IT) = IT_AUTHZ (that contains your specific/extra attributes)

Wireless_8021x + SSID_X + External AD Group HR = HR_AUTHZ (that contains your specific/extra attributes 

IT_AUTHZ = dACL name (it has to be configure on WLC) + extra attributes that you can push via radius vsa

View solution in original post