Discovery 3: Integrate Cisco ISE

with Active Directory

Introduction
In this activity, you will integrate Cisco ISE with Active Directory. First, you will perform a native
integration of Cisco ISE to Microsoft Active Directory. Next, you will populate the Cisco ISE dictionary
with Active Directory attributes.

Task 1: Configure Active Directory Integration

In this task, you will configure Cisco ISE to integrate with Microsoft Active Directory. You will then
configure active directory group and user attributes on Cisco ISE for use in later labs.

Activity Procedure
Complete the following steps:

Join Microsoft Active Directory

Step 1 From lab topology tab, open a connection to ISE CLI.
Step 2 At the login prompt, log in with the username and password: admin / ISEisC00L.

Step 3 You should see the following prompt: ise-1/admin#

Step 4 Enter show application status ise command. Continue only when Application
Server process is in running starte, issue the same command to check process
status again.

Step 5 On the ISE Admin Portal, navigate to Work Centers > Network Access > Overview.
Select the Introduction link in the left-hand panel. In the Prepare panel of the Work
 Center, select the External Identity Stores link. From there, under External Identity
Sources in the left pane, select Active Directory.

Step 6 In the right pane, click Add in the toolbar.

Step 7 Enter demo.local in both the Join Point Name and the Active Directory Domain
fields.

Step 8 Click Submit.

 Step 9 A pop-up window asks if you would like to join all ISE nodes to this Active Directory
Domain. Click Yes.

Step 10 In the Join Domain box, use the credentials administrator / ISEisC00L.
Step 11 Select Specify Organization Unit checkbox.
Step 12 Modify the DN value to match the following:
OU=HCC,DC=DEMO,DC=LOCAL

Step 13 Click OK.

Step 14 Once the process is completed, click the Close button.

Run Diagnostic Tools

Step 15 Select the ise-1 node from the list.
Step 16 From the toolbar, click Diagnostic Tool.
Step 17 Observe the different test names and that some are external – referenced by the join
point demo.local, and some are internal – referenced by the join point system.
Step 18 Expand Run Tests and click the button Run All Tests.
 Note The test may take a few minutes to run.

Step 19 All tests should run with a status of Successful. Compare your output with the
following screenshot.

Note Click the toolbar button View Test Details to view a text-based output report where data can be
copied out for a baseline to compare against in the future.

Step 20 Scroll down and click Close.

Add Active Directory Attributes to Cisco ISE Dictionary
Step 21 In the left pane, click the demo.local entry under Active Directory.
Step 22 In the right pane, click the Groups tab. You may need to adjust the browser zoom
settings to display the upper tabs.
Step 23 Click the +Add button on the toolbar and choose Select Groups from Directory.

Step 24 Cisco ISE has expanded the filter capabilities in selecting groups from Active
Directory. Leave the Type Filter as All and click the Retrieve Groups… button.

Step 25 Observe the list and notice there are many groups that likely would not be applicable
for utilization in Cisco ISE for policy matching.
Step 26 Now change the Type Filter to GLOBAL and click the Retrieve Groups… button.
Step 27 The resulting list is now more likely appropriate for policy usage. Select the entire list
of groups by checking the Name box in the header field.

Step 28 From that list, deselect the following groups.

 Demo.local/Users/Cloneable Domain Controllers.
 Demo.local/Users/DnsUpdateProxy.
  Demo.local/Users/Domain Controllers.
 Demo.local/Users/Domain Guests.
 Demo.local/Users/Group Policy Creator Owners.
 Demo.local/Users/Key Admins.
 Demo.local/Users/Protected Users.
 Demo.local/Users/Read-only Domain Controllers.
Step 29 Your list should match the following screenshot.

Step 30 Click OK.

Step 31 Click Save at the bottom.

Step 32 In the left pane, click the demo.local entry under Active Directory again.
Step 33 In the right pane, click the Attributes tab.
Step 34 Click the +Add button on the toolbar and choose Select Attributes from Directory.

Step 35 Enter employee2 in the Sample User or Machine Account text box and click the
Retrieve Attributes… button.
Step 36 Select badPwdCount and userPrincipalName from the list and click OK.

Note Only set attributes will be shown. If one account does not have an attribute set and a different
account does, for example Job Title or Department, it will show those attributes when retrieving
attributes from the account with the attribute set. An attribute could be set after this list is pulled,
and if that user is queried again the additional attribute will show in the list.
 Step 37 Scroll down and click Save.

Test Authentication
This feature in ISE is the ability to perform various methods of testing user authentication to Active
Directory. You will explore this feature in the steps below.
Step 38 Click on the Connection tab.
Step 39 In the below pane, select the ISE node ise-1.demo.local checkbox.
Step 40 Select Test User from the toolbar.
Step 41 Change the Authentication Type to Lookup.
Step 42 Username is employee2.
Step 43 Click the Test button.

Step 44 Observe the test result in the box shown. Observe the Processing Steps in the bottom
of the Authentication Result tab. An example screenshot of this is shown above. Now
click the Groups and then Attributes tabs and observe the details therein.
Step 45 Change the Authentication Type to Kerberos.
Step 46 Use credentials employee2/ISEisC00L.
Step 47 Click the Test button.
Step 48 Observe the Processing Steps at the bottom of the Authentication Result tab.
Notice that the Authentication Ticket (TGT) requests succeeded and the next two line
items indicate Kerberos success.
 Step 49 Change the Authentication Type to MS-RPC.
Step 50 Click the Test button.
Step 51 Observe the Processing Steps at the bottom of the Authentication Result tab.

Step 52 Close the test user authentication pop-up window.

Activity Verification
You have completed this task when you attain these results:
 You have successfully joined the Cisco ISE to demo.local.
 You have successfully added active directory groups and user attributes to Cisco ISE.
 You have successfully tested user authentication via all three authentication types.