Welcome to the second post in the Cisco ISE series. In the first the advantages and differences of Network Access Control (NAC) solutions from standard AAA, the uniqueness of Cisco ISE, the architecture and the installation process of the product were highlighted.
In this article, we will delve into creating accounts, adding LDAP servers, and integrating with Microsoft Active Directory, as well as the nuances of working with PassiveID. Before reading, I strongly recommend that you read .
1. Some terminology
User Identity - a user account that contains information about the user and generates his credentials for accessing the network. The following parameters are typically specified in User Identity: username, email address, password, account description, user group, and role.
User Groups - user groups are a collection of individual users who have a common set of privileges that allow them to access a specific set of Cisco ISE services and functions.
User Identity Groups - predefined user groups that already have certain information and roles. The following User Identity Groups exist by default, you can add users and user groups to them: Employee (employee), SponsorAllAccount, SponsorGroupAccounts, SponsorOwnAccounts (sponsor accounts for managing the guest portal), Guest (guest), ActivatedGuest (activated guest).
user-role- A user role is a set of permissions that determine what tasks a user can perform and what services can access. Often a user role is associated with a group of users.
Moreover, each user and user group has additional attributes that allow you to select and more specifically define this user (user group). More information in .
2. Create local users
1) Cisco ISE has the ability to create local users and use them in an access policy or even give a product administration role. Select Administration → Identity Management → Identities → Users → Add.
Figure 1 Adding a Local User to Cisco ISE
2) In the window that appears, create a local user, set a password and other understandable parameters.
Figure 2. Creating a Local User in Cisco ISE
3) Users can also be imported. In the same tab Administration → Identity Management → Identities → Users select an option Import and upload csv or txt file with users. To get a template select Generate a Template, then it should be filled with information about users in a suitable form.
Figure 3 Importing Users into Cisco ISE
3. Adding LDAP servers
Let me remind you that LDAP is a popular application-level protocol that allows you to receive information, perform authentication, search for accounts in the directories of LDAP servers, works on port 389 or 636 (SS). Prominent examples of LDAP servers are Active Directory, Sun Directory, Novell eDirectory, and OpenLDAP. Each entry in the LDAP directory is defined by a DN (Distinguished Name) and the task of retrieving accounts, user groups and attributes is raised to form an access policy.
In Cisco ISE, it is possible to configure access to many LDAP servers, thereby implementing redundancy. If the primary (primary) LDAP server is not available, then ISE will try to access the secondary (secondary) and so on. Additionally, if there are 2 PANs, then one LDAP can be prioritized for the primary PAN and another LDAP for the secondary PAN.
ISE supports 2 types of lookups when working with LDAP servers: User Lookup and MAC Address Lookup. User Lookup allows you to search for a user in the LDAP database and get the following information without authentication: users and their attributes, user groups. MAC Address Lookup also allows you to search by MAC address in LDAP directories without authentication and get information about the device, a group of devices by MAC addresses, and other specific attributes.
As an integration example, let's add Active Directory to Cisco ISE as an LDAP server.
1) Go to the tab Administration → Identity Management → External Identity Sources → LDAP → Add.
Figure 4. Adding an LDAP server
2) In the panel General specify the LDAP server name and scheme (in our case, Active Directory).
Figure 5. Adding an LDAP server with an Active Directory schema
3) Next go to Connection tab and select Hostname/IP address Server AD, port (389 - LDAP, 636 - SSL LDAP), domain administrator credentials (Admin DN - full DN), other parameters can be left as default.
Note: use the admin domain details to avoid potential problems.
Figure 6 Entering LDAP Server Data
4) In a tab Directory Organization you should specify the directory area through the DN from where to pull users and user groups.
Figure 7. Determination of directories from where user groups can pull up
5) Go to window Groups → Add → Select Groups From Directory to select pull groups from the LDAP server.
Figure 8. Adding groups from the LDAP server
6) In the window that appears, click Retrieve Groups. If the groups have pulled up, then the preliminary steps have been completed successfully. Otherwise, try another administrator and check the availability of the ISE with the LDAP server via the LDAP protocol.
Figure 9. List of pulled user groups
7) In a tab Attributes you can optionally specify which attributes from the LDAP server should be pulled up, and in the window Advanced Settings enable option Enable password change, which will force users to change their password if it has expired or been reset. In any case, click Submit to continue.
8) LDAP server appeared in the corresponding tab and can be used to form access policies in the future.
Figure 10. List of added LDAP servers
4. Integration with Active Directory
1) By adding the Microsoft Active Directory server as an LDAP server, we got users, user groups, but no logs. Next, I propose to set up full-fledged AD integration with Cisco ISE. Go to tab Administration → Identity Management → External Identity Sources → Active Directory → Add.
Note: for successful integration with AD, ISE must be in a domain and have full connectivity with DNS, NTP and AD servers, otherwise nothing will come of it.
Figure 11. Adding an Active Directory server
2) In the window that appears, enter the details of the domain administrator and check the box Store Credentials. Additionally, you can specify an OU (Organizational Unit) if the ISE is located in a specific OU. Next, you will have to select the Cisco ISE nodes that you want to connect to the domain.
Figure 12. Entering credentials
3) Before adding domain controllers, make sure that on PSN in the tab Administration → System → Deployment option enabled Passive Identity Service. Passive ID - an option that allows you to translate User to IP and vice versa. PassiveID gets information from AD via WMI, special AD agents or SPAN port on the switch (not the best option).
Note: to check the status of the Passive ID, type in the ISE console show application status is | include PassiveID.
Figure 13. Enabling the PassiveID option
4) Go to tab Administration → Identity Management → External Identity Sources → Active Directory → PassiveID and select the option Add DCs. Next, select the necessary domain controllers with checkboxes and click OKAY.
Figure 14. Adding domain controllers
5) Select the added DCs and click the button Edit. Specify FQDN your DC, domain login and password, and a link option WMI or Agent. Select WMI and click OKAY.
Figure 15 Entering domain controller details
6) If WMI is not the preferred way to communicate with Active Directory, then ISE agents can be used. The agent method is that you can install special agents on the servers that will emit login events. There are 2 installation options: automatic and manual. To automatically install the agent in the same tab Passive ID click Add Agent → Deploy New Agent (DC must have Internet access). Then fill in the required fields (agent name, server FQDN, domain administrator login/password) and click OKAY.
Figure 16. Automatic installation of the ISE agent
7) To manually install the Cisco ISE agent, select the item Register Existing Agent. By the way, you can download the agent in the tab Work Centers → PassiveID → Providers → Agents → Download Agent.
Figure 17. Downloading the ISE agent
Important: PassiveID doesn't read events logoff! The parameter responsible for the timeout is called user session aging time and equals 24 hours by default. Therefore, you should either logoff yourself at the end of the working day, or write some kind of script that will automatically logoff all logged in users.
For information logoff "Endpoint probes" are used - terminal probes. There are several endpoint probes in Cisco ISE: RADIUS, SNMP Trap, SNMP Query, DHCP, DNS, HTTP, Netflow, NMAP Scan. RADIUS probe using CoA (Change of Authorization) packages gives information about changing user rights (this requires an embedded 802.1 times), and configured on access switches SNMP, will give information about connected and disconnected devices.
The following example is relevant for a Cisco ISE + AD configuration without 802.1X and RADIUS: a user is logged in on a Windows machine, without doing logoff, log in from another PC via WiFi. In this case, the session on the first PC will still be active until a timeout occurs or a forced logoff occurs. Then if the devices have different rights, then the last logged in device will apply its rights.
8) Optional in the tab Administration → Identity Management → External Identity Sources → Active Directory → Groups → Add → Select Groups From Directory you can select groups from AD that you want to pull up on ISE (in our case, this was done in step 3 “Adding an LDAP server”). Choose an option Retrieve Groups → OK.
Figure 18 a). Pulling user groups from Active Directory
9) In a tab Work Centers → PassiveID → Overview → Dashboard you can observe the number of active sessions, the number of data sources, agents, and more.
Figure 19. Monitoring the activity of domain users
10) In a tab Live Sessions current sessions are displayed. Integration with AD is configured.
Figure 20. Active sessions of domain users
5. Заключение
This article covered the topics of creating local users in Cisco ISE, adding LDAP servers, and integrating with Microsoft Active Directory. The next article will highlight guest access in the form of a redundant guide.
If you have questions about this topic or need help testing the product, please contact .
Stay tuned for updates in our channels (, , , , ).
Source: habr.com