View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0033 - ISE 1.1 AD Integration and Identity Source Sequence

SEC0033 - ISE 1.1 AD Integration and Identity Source Sequence

Rating: 
5
Average: 5 (2 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Category: 
Security

The video demonstrate steps to integrate Cisco ISE with Windows Active Directory to access user information for authentication and authorization. This is very similar to joining a computer to a domain, where ISE will become a domain computer. Once joined, ISE will have access to user attributes particularly information on group membership that is usually heavily used to determine user access privilege. Identity Source Sequence, on the other hand, is a list of Identity Sources in order of preference, which we also look at in this video.

Topic:
  • Active Directory External Identity Source
  • AD User Group Selection
  • Identity Source Sequence
Tag: 
ISE
active directory

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

11 comments

Submitted by imohmmad on Mon, 04/01/2013 - 15:05

Hi,

I don't have any info how AD works, just wanted to know what should we do if we have to integrate ISE with AD Architecture with multiple sub domains according to geographical region.

Any help would be appreciated, Thanks

Submitted by admin on Mon, 04/01/2013 - 20:42

As long as those sub domains are trusted by the domain that you integrate ISE with, ISE should have visibility to all the AD security groups. Multiple untrusted domains are currently not supported, I believe.

If you find our website helpful, please help support us by sharing our links, recommend website to friends, like our Facebook, Subscribe our YouTube channel, follow us on Twitter

Submitted by imohmmad on Tue, 04/02/2013 - 11:47

If I integrate ISE with parent domain and there is trust relationship between Parent and all child domains, we should be able to import all required AD groups from Child domains to perform AuthC and AUthz.

Please let me know if I understand it correctly, and thanks a lot for your guidance, I really like your Video as they have pretty good insight about technologies.

Submitted by admin on Tue, 04/02/2013 - 21:21

That's is correct. You can even do this between forests as long as the trust is there.

Submitted by Hroyd on Fri, 05/10/2013 - 09:13

Hi

First of all, thank for these excellent guides.

I have a problem integrating with AD. My AD servers and ISE are in different subnets. The ISE subnet is registered in AD.

I have wiresharked the communication between ISE and the DNS server, and can see that DNS responds with all of the SRV records, but when I test AD in ISE it says it can't find any SRV records

Any ideas why that is? or where I can get more detailed debug info? can't find anything useful in the logs

Thanks for any help

H

adinfo (CentrifyDC 4.5.0-357)

Host Diagnostics
uname: Linux ISE01-LON3 2.6.18-274.17.1.el5PAE #1 SMP Wed Jan 4 22:49:48 EST 2012 i686
OS: Linux
Version: 2.6.18-274.17.1.el5PAE
Number of CPUs: 2

IP Diagnostics
Local host name: ise01-lon3
Local IP Address: 10.180.0.4
FQDN host name:ise01-lon3.tcy.prv

Domain Diagnostics
Domain: tcy.prv
Subnet site:
WARNING
Unable to locate computer s subnet site in Active Directory.
Ask your Active Directory administrator to add this computer s subnet
to the appropriate site.
DNS query for: _ldap._tcp.tcy.prv
Found no SRV records

Computer Account Diagnostics
Not joined to any domain

System Diagnostic
Not joined to any domain

Centrify DirectControl Status
Not joined to any domain

Licensed Features: Enabled

SELinux status: disabled
amavis1.1.0
ccs1.0.0
clamav1.1.0
dcc1.1.0
dnsmasq1.1.1
evolution1.1.0
ipsec1.4.0
iscsid1.0.0
milter1.0.0
mozilla1.1.0
mplayer1.1.0
nagios1.1.0
oddjob1.0.1
pcscd1.0.0
postgrey1.1.0
prelude1.0.0
pyzor1.1.0
qemu1.1.2
razor1.1.0
ricci1.0.0
smartmon1.1.0
spamassassin1.9.0
virt1.0.0
zosremote1.0.0

Submitted by admin on Fri, 05/10/2013 - 17:18

Just to cover the basic. Assuming ise01-lon3.tcy.prv is your ISE hostname and domain, can you make sure
1. ise01-lon3.tcy.prv DNS record is created.
2. Time on ISE and AD are synchronized.
3. On ISE CLI, you can ping ise01-lon3.tcy.prv, which is itself.
4. On ISE CLI, you can ping tcy.prv, which is probably resolve to your domain controller.
5. Test AD user login and see if it passes on the AD Integration page

Submitted by Hroyd on Mon, 05/13/2013 - 00:53

Thanks for the reply

All of the above is correct.. I can't ping tcy.prv, but I can ping the domain controllers that are returned to ISE in the SRV records. NTP is synced, and the user is OK.

ISE01-LON3/admin# ping ise01-lon3.tcy.prv
PING ise01-lon3.tcy.prv (10.180.0.4) 56(84) bytes of data.
64 bytes from 10.180.0.4: icmp_seq=1 ttl=64 time=0.017 ms
64 bytes from 10.180.0.4: icmp_seq=2 ttl=64 time=0.024 ms
64 bytes from 10.180.0.4: icmp_seq=3 ttl=64 time=0.015 ms
64 bytes from 10.180.0.4: icmp_seq=4 ttl=64 time=0.030 ms

--- ise01-lon3.tcy.prv ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3047ms
rtt min/avg/max/mdev = 0.015/0.021/0.030/0.007 ms

ISE01-LON3/admin# ping lon-dc02.tcy.prv
PING lon-dc02.tcy.prv (192.168.0.132) 56(84) bytes of data.
64 bytes from 192.168.0.132: icmp_seq=1 ttl=126 time=12.6 ms
64 bytes from 192.168.0.132: icmp_seq=2 ttl=127 time=1.71 ms
64 bytes from 192.168.0.132: icmp_seq=3 ttl=127 time=0.756 ms
64 bytes from 192.168.0.132: icmp_seq=4 ttl=127 time=0.886 ms

--- lon-dc02.tcy.prv ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 0.756/3.994/12.622/4.994 ms

ISE01-LON3/admin# ping lon-dc03.tcy.prv
PING lon-dc03.tcy.prv (192.168.0.2) 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=126 time=1.76 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=127 time=1.81 ms
64 bytes from 192.168.0.2: icmp_seq=3 ttl=127 time=0.492 ms
64 bytes from 192.168.0.2: icmp_seq=4 ttl=127 time=1.12 ms

--- lon-dc03.tcy.prv ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 0.492/1.301/1.817/0.541 ms

ISE01-LON3/admin# ping lon-dc04.tcy.prv
PING lon-dc04.tcy.prv (192.168.0.4) 56(84) bytes of data.
64 bytes from 192.168.0.4: icmp_seq=1 ttl=126 time=1.50 ms
64 bytes from 192.168.0.4: icmp_seq=2 ttl=127 time=1.78 ms
64 bytes from 192.168.0.4: icmp_seq=3 ttl=127 time=0.394 ms
64 bytes from 192.168.0.4: icmp_seq=4 ttl=127 time=0.888 ms

--- lon-dc04.tcy.prv ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 0.394/1.142/1.780/0.540 ms

ISE01-LON3/admin#
ISE01-LON3/admin#
ISE01-LON3/admin# sh ntp
Configured NTP Servers:
10.16.143.21

synchronised to NTP server (10.16.143.21) at stratum 2
time correct to within 446 ms
polling server every 64 s

remote refid st t when poll reach delay offset jitter
==============================================================================
127.127.1.0 .LOCL. 10 l 25 64 377 0.000 0.000 0.001
*10.16.143.21 .GPS. 1 u 26 64 377 1.019 0.107 1.684

* Current time source, + Candidate

Warning: Output results may conflict during periods of changing synchronization.

Submitted by Hroyd on Mon, 05/13/2013 - 01:58

have located the issue. It seems to be related to ISE not being on the same subnet as the DC, although ISE subnet was added to the domain. I added another interface to ISE and put it on the same subnet as the DC, and now my AD test works

thanks

Submitted by admin on Mon, 05/13/2013 - 23:14

That seems strange. We have joined ISE to domain across subnets successfully numerous times but I am glad it worked out for you.

Submitted by xcent on Tue, 02/17/2015 - 03:27

i have a problem, i have successfully joined the domain and everything is working fine between the ISE server and the AD.

I wanted to retrieve domain group, i was able to retrieve it but it couldnt save as i didnt get response from the ISe Server.

What could be the problem......

secondly. i wanted to test my configurations from the Switch using the diagnostic test.... its telling me connection refused.

i have done all the neccessary command for ssh on the switch buut i noticed when i type the command login, it tells me incomplete command. so with the question mark, it comes with the authentication which means AAA is required and i did it to use radius, yet connection is being refused.

login ? authentication ? default or word etc...

Thank you for the helpful hints

Submitted by admin on Tue, 02/17/2015 - 22:06

hmm.. never run into issue where you can view and select AD group but cannot save. Could it be bad connection between ISE and AD, or bad ISE install? To test RADIUS authentication, you can use the "test aaa authentication" command on the switch and you should see authentication log on ISE. Just keep in mind that you need to have the switch added as network device and appropriate authenticatio and authorization policy configured to support the request.