Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
0
Helpful
4
Replies

ISE 1.2 Admin Access via Active Directory

Go to solution
fatalXerror
Level 5
Level 5

‎09-24-2014 09:53 PM - edited ‎03-10-2019 10:03 PM

Hi Experts,

Good Day!

I want to configure my ISE 1.2 to authenticate (for admin) against the active directory. I know it is possible but our AD doesn't have any groups named for admins.

Is it possible for the ISE 1.2 to configure a local user ID and check it to the AD for the password of the UserID?

Thanks for your great help.

 

niks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
michael.patrick
Level 1
Level 1

‎09-25-2014 08:33 AM

Niks,

I just got done doing this.  First of all you have to have the Active Directory setup as an external data source.  Once you do that Click on Administration - - Admin Access.

For the Authentication Type ensure that Password Based is toggled and change your data source to Active Directory (or whatever you named it).

Then click in Administrators - - Admin Users.  Click Add a user - - Create Admin User.  Ensure to check the External box and you will notice the Password field goes away.  Fill out the appropriate information and then assign them to an Admin Group.

Once you are done with that you can test that user by logging out of your ISE session.  You will notice that when you try to log back in you will have a choice of the data sources used to authenticate the user.  Change the selection to Active Directory and enter the AD user/password for the newly created account you should be good to go.

Make sure that you don't delete or disable your original admin account in this process.  (Change the password if you like.)

View solution in original post

0 Helpful
4 Replies 4

Go to solution
michael.patrick
Level 1
Level 1

‎09-25-2014 08:33 AM

Niks,

I just got done doing this.  First of all you have to have the Active Directory setup as an external data source.  Once you do that Click on Administration - - Admin Access.

For the Authentication Type ensure that Password Based is toggled and change your data source to Active Directory (or whatever you named it).

Then click in Administrators - - Admin Users.  Click Add a user - - Create Admin User.  Ensure to check the External box and you will notice the Password field goes away.  Fill out the appropriate information and then assign them to an Admin Group.

Once you are done with that you can test that user by logging out of your ISE session.  You will notice that when you try to log back in you will have a choice of the data sources used to authenticate the user.  Change the selection to Active Directory and enter the AD user/password for the newly created account you should be good to go.

Make sure that you don't delete or disable your original admin account in this process.  (Change the password if you like.)

0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to michael.patrick

‎09-30-2014 02:03 AM

Hi Michael,

Good Day!

So in this setup, the admin username that I will be creating should match in the username stored in the AD right so that only the password will be queried from ISE to AD?

Thank you and have a nice day!

 

Cheers,

niks :)

0 Helpful

Go to solution
michael.patrick
Level 1
Level 1
In response to fatalXerror

‎09-30-2014 05:28 AM

niks,

You are correct, when you setup the user and click that it is external it will query your external data sources.  If AD is the first or only external data source ISE will use the username to authenticate against that data source and not the internal ISE account.

I typically name my internal users differently than the external (AD) users.  This helps me recognize the different users at a glance.

Michael.

0 Helpful

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎10-09-2014 08:01 AM

Administrative Access to Cisco ISE Using an External Identity Store

 

 

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_admin.html#45308

0 Helpful
Customers Also Viewed These Support Documents