ISE AD administration based on User

Answered Question
Feb 18th, 2014
User Badges:

I have a new ISE box and want to use AD for management. I have ISE successfully connected to AD and can authenticate to the management interface using AD. My next step is to filter specific users from the AD group for authentication. Is this possible? If so, any help or documents would be greatly appreciated.


Thanks in advance.


Bret

Correct Answer by jjohnston1127 about 3 years 6 months ago

I would recommend creating a new active directory group called "ISE Admins" or something and assigning that group to the ISE Admin group inside of ISE you created based on step 4 in my instructions above.

Correct Answer by George Stefanick about 3 years 6 months ago

Yes, you can use specific AD groups and apply ISE poilcy.


Configuring Active Directory Groups




http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059262







__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
George Stefanick Tue, 02/18/2014 - 07:14
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Yes, you can use specific AD groups and apply ISE poilcy.


Configuring Active Directory Groups




http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059262







__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

jjohnston1127 Tue, 02/18/2014 - 07:23
User Badges:
  • Silver, 250 points or more
  1. Go to Administration -> Admin Access
  2. Click on Authentication and change the identity source to your AD server. Don't worry, the internal logins will still work and appear in a drop down should the AD server become unavailable.
  3. Expand Administrators then expand Admin Groups
  4. Create a new Admin Group and check the box for External
  5. Point to the External Group of the AD group you want to be able to administer ISE.
  6. Expand Authorization in the same menu.
  7. Click on Policy
  8. Create a new rule and point it to the Admin Group you created and assign the appropriate role permissions.


You're done!

bret Tue, 02/18/2014 - 07:57
User Badges:

Thank you both for a quick response. I have ISE joined to AD and can authenticate without any problem. Since the AD group I am using has several users I need to filter specific users out for ISE management. I am very new to ISE and from what I have read and what you mention George I need to create a policy filtering out the users. Is that correct?

Correct Answer
jjohnston1127 Tue, 02/18/2014 - 08:11
User Badges:
  • Silver, 250 points or more

I would recommend creating a new active directory group called "ISE Admins" or something and assigning that group to the ISE Admin group inside of ISE you created based on step 4 in my instructions above.

bret Wed, 02/19/2014 - 05:05
User Badges:

Allthough ISE can do the policy, for someone new to ISE I found it a little challenging, so I used an AD group. Thank you both for the quick response.

Actions

This Discussion