Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
40402
Views
35
Helpful
3
Replies

ISE and AD integration

Go to solution
Prasan Venky
Level 3
Level 3

‎06-19-2013 03:46 AM - edited ‎03-10-2019 08:33 PM

Hello All,

Can anyone tell me what are all the prerequisites when integrating ISE with AD..?

Thanks in advance.

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-19-2013 04:07 AM

Hi Prasan,

Before you connect your ISE server with the Active Directory domain, you must check the following:

•Ensure that Cisco ISE hostnames are only 15 characters or less in length. Active Directory does not validate hostnames larger than 15 characters, which can cause a problem if you have multiple ISE hosts in your deployment whose hostnames are identical through the first 15 characters and only distinguished from one another by trailing digits or other identifiers.

•Ensure that your ISE server and Active Directory are time synchronized. Time in the ISE is set according to the Network Time Protocol (NTP) server. It is recommended that you use the NTP to synchronize time between the ISE and Active Directory. For more information on NTP server settings, see the "System Time and NTP Server Settings" section.

Refer to the Cisco Identity Services Engine CLI Reference Guide, Release 1.1 for information on how to configure the NTP server settings from the CLI.

•If there is a firewall between ISE and Active Directory, certain ports need to be opened to allow ISE to communicate with Active Directory. Ensure that the following default ports are open:

otocol

Port Number

LDAP


389 (UDP)


SMB1


445 (TCP)


KDC2


88 (TCP)


Global Catalog


3268 (TCP), 3269


KPASS


464 (TCP)


NTP


123 (UDP)


LDAP


389 (TCP)


LDAPS3


636 (TCP)


1 SMB = Server Message Block

2 KDC = Kerberos Key Distribution Center

3 LDAPS = Lightweight Directory Access Protocol over TLS/SSL

•The Active Directory username that you provide while  joining to an Active Directory domain should be predefined in Active  Directory and should have the permission to create and update for computer account objects and change password in the domain you are joining.

•Ensure that your Microsoft Active Directory Server does not reside  behind a network address translator and does not have a Network Address  Translation (NAT) address.

Supported document:

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1059011

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

3 Replies 3

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-19-2013 04:07 AM

Hi Prasan,

Before you connect your ISE server with the Active Directory domain, you must check the following:

•Ensure that Cisco ISE hostnames are only 15 characters or less in length. Active Directory does not validate hostnames larger than 15 characters, which can cause a problem if you have multiple ISE hosts in your deployment whose hostnames are identical through the first 15 characters and only distinguished from one another by trailing digits or other identifiers.

•Ensure that your ISE server and Active Directory are time synchronized. Time in the ISE is set according to the Network Time Protocol (NTP) server. It is recommended that you use the NTP to synchronize time between the ISE and Active Directory. For more information on NTP server settings, see the "System Time and NTP Server Settings" section.

Refer to the Cisco Identity Services Engine CLI Reference Guide, Release 1.1 for information on how to configure the NTP server settings from the CLI.

•If there is a firewall between ISE and Active Directory, certain ports need to be opened to allow ISE to communicate with Active Directory. Ensure that the following default ports are open:

otocol

Port Number

LDAP


389 (UDP)


SMB1


445 (TCP)


KDC2


88 (TCP)


Global Catalog


3268 (TCP), 3269


KPASS


464 (TCP)


NTP


123 (UDP)


LDAP


389 (TCP)


LDAPS3


636 (TCP)


1 SMB = Server Message Block

2 KDC = Kerberos Key Distribution Center

3 LDAPS = Lightweight Directory Access Protocol over TLS/SSL

•The Active Directory username that you provide while  joining to an Active Directory domain should be predefined in Active  Directory and should have the permission to create and update for computer account objects and change password in the domain you are joining.

•Ensure that your Microsoft Active Directory Server does not reside  behind a network address translator and does not have a Network Address  Translation (NAT) address.

Supported document:

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1059011

Jatin Katyal
- Do rate helpful posts -

~Jatin

Go to solution
bbb bbb
Level 1
Level 1
In response to Jatin Katyal

‎10-23-2017 05:46 AM

in our implementation, we encounter problem to fetch users and groups from Active Directory to Cisco ISE.

 

solution is below:

 

Windows administrator should run a script on Domain Controller using the regular command prompt (not powershell).

 

 ****************** ****************** ******************

Script:

dsacls "DC=domain,DC=ext" /I:T /G "HOSTNAME$":rp;tokenGroups

 

where:

domain = domain name

ext = domain extention (i.e.    .com, .net., .org )

HOSTNAME = the hostname of ISE as it appears in Active Directory

 

The script allows ISE the necessary AD permissions to fetch groups which is needed to get

to match against ISE authentication/authorization policies.

 

Before running the script please go to: Administration > System > settings >protocols > radius and uncheck the anomalous suppression

 ****************** ****************** ******************

 

thank you and regards

0 Helpful

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎06-24-2013 06:20 AM

Ensure that your Cisco ISE server and  Active Directory are time synchronized. Time in the Cisco ISE is set according  to the Network Time Protocol (NTP) server. It is recommended that you use the  NTP to synchronize time between the Cisco ISE and Active Directory.

If there  is a firewall between Cisco ISE and Active Directory, certain ports need to be  opened to allow Cisco ISE to communicate with Active Directory

If your  Active Directory source has a multidomain forest, ensure that trust  relationships exist between the domain to which Cisco ISE is connected and the  other domains with resources to which you need access. For more information on  establishing trust relationships, refer to the Microsoft Active Directory  documentation.

• The DNS server that is configured in Cisco ISE using the ip  name-server command should be able to resolve the domain names in your Active  Directory identity source. Typically, the DNS server that is part of the Active  Directory deployment is configured in Cisco ISE.

• The Active Directory  username that you provide while joining to an Active Directory domain should be  predefined in Active Directory and should have any one of the following  permissions:

– Add the workstation to the domain to which you are trying to  connect.

– On the computer where the Cisco ISE account was created, establish  permissions for creating computer objects or deleting computer objects before  you join Cisco ISE to the domain.

– Permissions for searching users and  groups that are required for authentication.

After you join your Cisco ISE  server to the Active Directory domain, you might still need the permissions  discussed previously to do the following:

– Join any secondary Cisco ISE  servers to this domain

– Back up or restore data

– Upgrade the Cisco ISE  to a higher version if the upgrade process involves backup and restore

• If  your Cisco ISE deployment has multiple nodes in a distributed setup, you must  first define the Active Directory domain on the primary administration node and  then explicitly join each of the secondary policy service nodes to that  domain.

Every Cisco ISE administrator account is assigned one or more  administrative roles.: Super Admin or System Admin administrative roles and the  privileges associated with each of them.

Cisco ISE does not support Microsoft  Active Directory Servers that reside behind a network address translator and  have a Network Address Translation (NAT) address

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents