Cisco ISE (3.3) integration with Active directory

Cisco ISE (Identity Services Engine) 3.3 have new look and feel however underlying concept remains the same. Cisco ISE can be integrated with Active directory to authenticate users, domain joined machines for machine authentication. We can also pull groups created on active directory. The group can be used in access control policies to provide the differentiated access. We can also use this integration to allow access to ISE web UI.

ISE active directory integration can be done by following below steps.

Step 1> Define logical name and domain details

Navigate to Administration > Identity management > External Identity Sources and Click on Active directory.

Enter details. Joint point name can be anything its a logical name, Under active directory domain enter the domain where you want to join your ISE.

Step 2> Enter domain credential to perform join operation

Select the Cisco ise node you want to join to active directory and click on join, Usually we join all the nodes to AD:

Enter the Ad credential to join the domain controller and click ok. The credential we use need to have proper permission to perform the join operation. The account needs three type of permissions:

1> Join permission – Create a machine account, Search machine account, Set attribute of the machine account
2> Leave Operation: Search machine account, Delete machine account.
3> Change password of own machine account, Search for users and machine accounts, Search for Groups

The account will be used one time only.

If there are any error the details can be checked by click on the error message:

A successful join operation shows as below:

Step 3> Select the active directory group to be used in Cisco ISE.

Pull group from AD (Active directory). To use the groups created on AD in policies we need to select the group. Navigate to Groups tab and click add, Select search from Directory:

Search the required group and click on Retrieve Groups, Select the desired group and click ok.

Ensure to click save

With this ISE is successfully integrated with active directory. A small test can be done to check if the integration is working by using Test user feature.

By following above steps we have successfully integrated Cisco ISE with Active directory and we have pulled the required group which can be further used in various policies.