0

How to Integrate Cisco ISE with Microsoft Active Directory

Overview

In this lab, we are going to show how to integrate Cisco ISE with Microsoft Active Directory. The enterprise network of today is rapidly growing and employees are no longer using only work computers to access internal resources. The exponential growth has to led to use of mobile devices, personal laptops and such. VPNs allow for remote access to resources inside the network, however, this can lead to security threats and data breaches as you may not have the security posture of the devices access your network. It is, however, imperative to secure access from anywhere and from any device. This ensures identity-based network access control.

The Cisco Identiy Services Engine enables a dynamic and automated approach to policy enforcement that simplifies the delivery of highly secure network access control. ISE empowers software-defined access and automates network segmentation within IT and OT environments. Ref: link

 

Prerequisites:

In order to complete this lab, ensure to have the following devices up and running in your set:

  • Microsoft Windows Server 2016 Standard
  • Cisco Identity Services Engine v2.4
  • Cisco IOL Switch
  • Cisco IOL Router

Cisco ISE integration with Active Directory

N.B: I have already configured Active Directory Domain services in the windows server. I also configured IP addressing and default gateway as well as DNS servers.

In order to integrate your Cisco ISE with AD, first head over to your Cisco ISE dashboard by accessing it’s IP or hostname. In my case, i am accessing vi https://10.10.10.30 as shown below:

 

cisco ise dashboard

From here, navigate to Administration>Identity Management>External Identity Sources. You will be able to view a list of different external identity sources that you can integrate with your Cisco ISE. In our case we shall integrate with Microsoft Active Directory, therefore, click on Active Directory

cisco ise active directory

Click on the +Add button and add the below connection information.

Join Point Name: labingoverload

Active Directory Domain: labingoverload.com

Cisco ISE AD join

Click on submit and it will contact our Domain server. Afterwards, you will get a pop up message; “Would you like to join all ISE nodes to this Active Directory Domain?”

Cisco ISE AD Join confirm

Once you click yes, you will prompted to enter credentials required to join ISE to the Active Directory Domain. In this case, you will use the Administrator AD credentials. Once done you can click on OK.

Cisco ISE AD join

If all goes well, you will get a Status Summary: Successful as below

Cisco ISE AD join

You can now be able to pull domain users groups which you can further use in your policy sets. Let’s have a look at an example.

Navigate to Groups tab.

Cisco ISE AD join

Click on +Add then Select Groups From Directory to add the users groups from your AD.

 

Cisco ISE AD join

On the Name Filter field, use *Users* to grab all users groups from our Active Directory Domain. Afterwards, click on Retrieve Groups.. to retrieve the specified groups.

Cisco ISE AD join

As you can see, we are able to retrieve all users groups from our Active Directory Domain.

That’s it for this lab. I hope you picked something from this today. Till next time.

 

bl4ckwidow

Co-Founder of Labing Overload. I am a Web Developer/Network Engineer turned CyberSecurity Engineer. FOSS enthusiast. Cisco Technologies enthusiast. Network Penetration Tester.

Leave a Reply

Your email address will not be published.