Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ISE AD administration based on User

I have a new ISE box and want to use AD for management. I have ISE successfully connected to AD and can authenticate to the management interface using AD. My next step is to filter specific users from the AD group for authentication. Is this possible? If so, any help or documents would be greatly appreciated.

Thanks in advance.

Bret

2 ACCEPTED SOLUTIONS

Accepted Solutions

ISE AD administration based on User

Yes, you can use specific AD groups and apply ISE poilcy.

Configuring Active Directory Groups

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059262

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

ISE AD administration based on User

I would recommend creating a new active directory group called "ISE Admins" or something and assigning that group to the ISE Admin group inside of ISE you created based on step 4 in my instructions above.

5 REPLIES

ISE AD administration based on User

Yes, you can use specific AD groups and apply ISE poilcy.

Configuring Active Directory Groups

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059262

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

ISE AD administration based on User

  1. Go to Administration -> Admin Access
  2. Click on Authentication and change the identity source to your AD server. Don't worry, the internal logins will still work and appear in a drop down should the AD server become unavailable.
  3. Expand Administrators then expand Admin Groups
  4. Create a new Admin Group and check the box for External
  5. Point to the External Group of the AD group you want to be able to administer ISE.
  6. Expand Authorization in the same menu.
  7. Click on Policy
  8. Create a new rule and point it to the Admin Group you created and assign the appropriate role permissions.

You're done!

Community Member

ISE AD administration based on User

Thank you both for a quick response. I have ISE joined to AD and can authenticate without any problem. Since the AD group I am using has several users I need to filter specific users out for ISE management. I am very new to ISE and from what I have read and what you mention George I need to create a policy filtering out the users. Is that correct?

ISE AD administration based on User

I would recommend creating a new active directory group called "ISE Admins" or something and assigning that group to the ISE Admin group inside of ISE you created based on step 4 in my instructions above.

Community Member

ISE AD administration based on User

Allthough ISE can do the policy, for someone new to ISE I found it a little challenging, so I used an AD group. Thank you both for the quick response.

165
Views
5
Helpful
5
Replies
CreatePlease to create content