Professional Documents
Culture Documents
Discovery 3: Integrate Cisco ISE With Active Directory
Discovery 3: Integrate Cisco ISE With Active Directory
Activity Procedure
Complete the following steps:
Step 5 On the ISE Admin Portal, navigate to Work Centers > Network Access > Overview.
Select the Introduction link in the left-hand panel. In the Prepare panel of the Work
Center, select the External Identity Stores link. From there, under External Identity
Sources in the left pane, select Active Directory.
Step 7 Enter demo.local in both the Join Point Name and the Active Directory Domain
fields.
Step 10 In the Join Domain box, use the credentials administrator / ISEisC00L.
Step 11 Select Specify Organization Unit checkbox.
Step 12 Modify the DN value to match the following:
OU=HCC,DC=DEMO,DC=LOCAL
Step 19 All tests should run with a status of Successful. Compare your output with the
following screenshot.
Note Click the toolbar button View Test Details to view a text-based output report where data can be
copied out for a baseline to compare against in the future.
Step 24 Cisco ISE has expanded the filter capabilities in selecting groups from Active
Directory. Leave the Type Filter as All and click the Retrieve Groups… button.
Step 25 Observe the list and notice there are many groups that likely would not be applicable
for utilization in Cisco ISE for policy matching.
Step 26 Now change the Type Filter to GLOBAL and click the Retrieve Groups… button.
Step 27 The resulting list is now more likely appropriate for policy usage. Select the entire list
of groups by checking the Name box in the header field.
Step 32 In the left pane, click the demo.local entry under Active Directory again.
Step 33 In the right pane, click the Attributes tab.
Step 34 Click the +Add button on the toolbar and choose Select Attributes from Directory.
Step 35 Enter employee2 in the Sample User or Machine Account text box and click the
Retrieve Attributes… button.
Step 36 Select badPwdCount and userPrincipalName from the list and click OK.
Note Only set attributes will be shown. If one account does not have an attribute set and a different
account does, for example Job Title or Department, it will show those attributes when retrieving
attributes from the account with the attribute set. An attribute could be set after this list is pulled,
and if that user is queried again the additional attribute will show in the list.
Step 37 Scroll down and click Save.
Test Authentication
This feature in ISE is the ability to perform various methods of testing user authentication to Active
Directory. You will explore this feature in the steps below.
Step 38 Click on the Connection tab.
Step 39 In the below pane, select the ISE node ise-1.demo.local checkbox.
Step 40 Select Test User from the toolbar.
Step 41 Change the Authentication Type to Lookup.
Step 42 Username is employee2.
Step 43 Click the Test button.
Step 44 Observe the test result in the box shown. Observe the Processing Steps in the bottom
of the Authentication Result tab. An example screenshot of this is shown above. Now
click the Groups and then Attributes tabs and observe the details therein.
Step 45 Change the Authentication Type to Kerberos.
Step 46 Use credentials employee2/ISEisC00L.
Step 47 Click the Test button.
Step 48 Observe the Processing Steps at the bottom of the Authentication Result tab.
Notice that the Authentication Ticket (TGT) requests succeeded and the next two line
items indicate Kerberos success.
Step 49 Change the Authentication Type to MS-RPC.
Step 50 Click the Test button.
Step 51 Observe the Processing Steps at the bottom of the Authentication Result tab.
Activity Verification
You have completed this task when you attain these results:
You have successfully joined the Cisco ISE to demo.local.
You have successfully added active directory groups and user attributes to Cisco ISE.
You have successfully tested user authentication via all three authentication types.