In this lab, we are going to show how to integrate Cisco ISE with Microsoft Active Directory. The enterprise network of today is rapidly growing and employees are no longer using only work computers to access internal resources. The exponential growth has to led to use of mobile devices, personal laptops and such. VPNs allow for remote access to resources inside the network, however, this can lead to security threats and data breaches as you may not have the security posture of the devices access your network. It is, however, imperative to secure access from anywhere and from any device. This ensures identity-based network access control.
The Cisco Identiy Services Engine enables a dynamic and automated approach to policy enforcement that simplifies the delivery of highly secure network access control. ISE empowers software-defined access and automates network segmentation within IT and OT environments. Ref: link
In order to complete this lab, ensure to have the following devices up and running in your set:
- Microsoft Windows Server 2016 Standard
- Cisco Identity Services Engine v2.4
- Cisco IOL Switch
- Cisco IOL Router
N.B: I have already configured Active Directory Domain services in the windows server. I also configured IP addressing and default gateway as well as DNS servers.
In order to integrate your Cisco ISE with AD, first head over to your Cisco ISE dashboard by accessing it’s IP or hostname. In my case, i am accessing vi https://10.10.10.30 as shown below:
From here, navigate to Administration>Identity Management>External Identity Sources. You will be able to view a list of different external identity sources that you can integrate with your Cisco ISE. In our case we shall integrate with Microsoft Active Directory, therefore, click on Active Directory
Click on the +Add button and add the below connection information.
Join Point Name: labingoverload
Active Directory Domain: labingoverload.com
Click on submit and it will contact our Domain server. Afterwards, you will get a pop up message; “Would you like to join all ISE nodes to this Active Directory Domain?”
Once you click yes, you will prompted to enter credentials required to join ISE to the Active Directory Domain. In this case, you will use the Administrator AD credentials. Once done you can click on OK.
If all goes well, you will get a Status Summary: Successful as below
You can now be able to pull domain users groups which you can further use in your policy sets. Let’s have a look at an example.
Navigate to Groups tab.
Click on +Add then Select Groups From Directory to add the users groups from your AD.
On the Name Filter field, use *Users* to grab all users groups from our Active Directory Domain. Afterwards, click on Retrieve Groups.. to retrieve the specified groups.
As you can see, we are able to retrieve all users groups from our Active Directory Domain.
That’s it for this lab. I hope you picked something from this today. Till next time.