Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE 1.2 Admin Access via Active Directory

Hi Experts,

Good Day!

I want to configure my ISE 1.2 to authenticate (for admin) against the active directory. I know it is possible but our AD doesn't have any groups named for admins.

Is it possible for the ISE 1.2 to configure a local user ID and check it to the AD for the password of the UserID?

Thanks for your great help.

 

niks

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Niks,I just got done doing

Niks,

I just got done doing this.  First of all you have to have the Active Directory setup as an external data source.  Once you do that Click on Administration - - Admin Access.

For the Authentication Type ensure that Password Based is toggled and change your data source to Active Directory (or whatever you named it).

Then click in Administrators - - Admin Users.  Click Add a user - - Create Admin User.  Ensure to check the External box and you will notice the Password field goes away.  Fill out the appropriate information and then assign them to an Admin Group.

Once you are done with that you can test that user by logging out of your ISE session.  You will notice that when you try to log back in you will have a choice of the data sources used to authenticate the user.  Change the selection to Active Directory and enter the AD user/password for the newly created account you should be good to go.

Make sure that you don't delete or disable your original admin account in this process.  (Change the password if you like.)

4 REPLIES
New Member

Niks,I just got done doing

Niks,

I just got done doing this.  First of all you have to have the Active Directory setup as an external data source.  Once you do that Click on Administration - - Admin Access.

For the Authentication Type ensure that Password Based is toggled and change your data source to Active Directory (or whatever you named it).

Then click in Administrators - - Admin Users.  Click Add a user - - Create Admin User.  Ensure to check the External box and you will notice the Password field goes away.  Fill out the appropriate information and then assign them to an Admin Group.

Once you are done with that you can test that user by logging out of your ISE session.  You will notice that when you try to log back in you will have a choice of the data sources used to authenticate the user.  Change the selection to Active Directory and enter the AD user/password for the newly created account you should be good to go.

Make sure that you don't delete or disable your original admin account in this process.  (Change the password if you like.)

New Member

Hi Michael,Good Day!So in

Hi Michael,

Good Day!

So in this setup, the admin username that I will be creating should match in the username stored in the AD right so that only the password will be queried from ISE to AD?

Thank you and have a nice day!

 

Cheers,

niks :)

New Member

niks,You are correct, when

niks,

You are correct, when you setup the user and click that it is external it will query your external data sources.  If AD is the first or only external data source ISE will use the username to authenticate against that data source and not the internal ISE account.

I typically name my internal users differently than the external (AD) users.  This helps me recognize the different users at a glance.

Michael.

Cisco Employee

Administrative Access to

Administrative Access to Cisco ISE Using an External Identity Store

 

 

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_admin.html#45308

92
Views
0
Helpful
4
Replies
CreatePlease login to create content