Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Step 4CheckthecheckboxnexttothenewActiveDirectoryjoinpointthatyoucreatedandclickEdit,orclickon thenewActiveDirectoryjoinpointfromthenavigationpaneontheleft.Thedeploymentjoin/leavetableis displayedwithalltheCiscoISEnodes,thenoderoles,andtheirstatus. Step 5CheckthecheckboxnexttotherelevantCiscoISEnodesandclickJointojointheCiscoISEnodetothe ActiveDirectorydomain. Youmustdothisexplicitlyeventhoughyousavedtheconfiguration.TojoinmultipleCiscoISEnodestoa domaininasingleoperation,theusernameandpasswordoftheaccounttobeusedmustbethesameforall joinoperations.IfdifferentusernameandpasswordsarerequiredtojoineachCiscoISEnode,thejoinoperation shouldbeperformedindividuallyforeachCiscoISEnode. Step 6EntertheActiveDirectoryusernameandpasswordfromtheJoinDomaindialogboxthatopens. ItisstronglyrecommendedthatyouchooseStorecredentials,inwhichcaseyouradministrator'susername andpasswordwillbesavedinordertobeusedforallDomainControllers(DC)thatareconfiguredfor monitoring. Theuserusedforthejoinoperationshouldexistinthedomainitself.Ifitexistsinadifferentdomainor subdomain,theusernameshouldbenotedinaUPNnotation,[email protected]. Step 7(Optional)ChecktheSpecifyOrganizationalUnitcheckbox. YoushouldcheckthischeckboxincasetheCiscoISEnodemachineaccountistobelocatedinaspecific OrganizationalUnitotherthanCN=Computers,DC=someDomain,DC=someTLD.CiscoISEcreatesthe machineaccountunderthespecifiedorganizationalunitormovesittothislocationifthemachineaccount alreadyexists.Iftheorganizationalunitisnotspecified,CiscoISEusesthedefaultlocation.Thevalueshould bespecifiedinfulldistinguishedname(DN)format.ThesyntaxmustconformtotheMicrosoftguidelines. Specialreservedcharacters,suchas/'+,;=linefeed,space,andcarriagereturnmustbeescapedbyabackslash (\).Forexample,OU=CiscoISE\,US,OU=ITServers,OU=Servers\,and Workstations,DC=someDomain,DC=someTLD.Ifthemachineaccountisalreadycreated,youneednotcheck thischeckbox.YoucanalsochangethelocationofthemachineaccountafteryoujointotheActiveDirectory domain. Step 8ClickOK. YoucanselectmorethanonenodetojointotheActiveDirectorydomain. Ifthejoinoperationisnotsuccessful,afailuremessageappears.Clickthefailuremessageforeachnodeto viewdetailedlogsforthatnode. Whenthejoiniscomplete,CiscoISEupdatesitsADgroupsandcorrespondingSIDS.CiscoISE automaticallystartstheSIDupdateprocess.Youmustensurethatthisprocessisallowedtocomplete. Note YoumightnotbeabletojoinCiscoISEwithanActiveDirectorydomainiftheDNSSRVrecords aremissing(thedomaincontrollersdonotadvertisetheirSRVrecordsforthedomainthatyouare tryingtojointo).RefertothefollowingMicrosoftActiveDirectorydocumentationfortroubleshooting information: Note •http://support.microsoft.com/kb/816587 •http://technet.microsoft.com/en-us/library/bb727055.aspx What to Do Next ConfigureActiveDirectoryUserGroups,onpage257 Configureauthenticationdomains. Cisco Identity Services Engine Administrator Guide, Release 1.3 255 Active Directory as an External Identity Source
Leave the Active Directory Domain IfyounolongerneedtoauthenticateusersormachinesfromthisActiveDirectorydomainorfromthisjoin point,youcanleavetheActiveDirectorydomain. WhenyouresettheCiscoISEapplicationconfigurationfromthecommand-lineinterfaceorrestore configurationafterabackuporupgrade,itperformsaleaveoperation,disconnectingtheCiscoISEnodefrom theActiveDirectorydomain,ifitisalreadyjoined.However,theCiscoISEnodeaccountisnotremoved fromtheActiveDirectorydomain.WerecommendthatyouperformaleaveoperationfromtheAdminportal withtheActiveDirectorycredentialsbecauseitalsoremovesthenodeaccountfromtheActiveDirectory domain.ThisisalsorecommendedwhenyouchangetheCiscoISEhostname. Before You Begin IfyouleavetheActiveDirectorydomain,butstilluseActiveDirectoryasanidentitysourceforauthentication (eitherdirectlyoraspartofanidentitysourcesequence),authenticationsmayfail. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>ActiveDirectory. Step 2CheckthecheckboxnexttotheActiveDirectoryjoinpointthatyoucreatedandclickEdit.Thedeployment join/leavetableisdisplayedwithalltheCiscoISEnodes,thenoderoles,andtheirstatuses. Step 3CheckthecheckboxnexttotheCiscoISEnodeandclickLeave. Step 4EntertheActiveDirectoryusernameandpassword,andclickOKtoleavethedomainandremovethemachine accountfromtheCiscoISEdatabase. IfyouentertheActiveDirectorycredentials,theCiscoISEnodeleavestheActiveDirectorydomainand deletestheCiscoISEmachineaccountfromtheActiveDirectorydatabase. TodeletetheCiscoISEmachineaccountfromtheActiveDirectorydatabase,theActiveDirectory credentialsthatyouprovideheremusthavethepermissiontoremovemachineaccountfromdomain. Note Step 5IfyoudonothavetheActiveDirectorycredentials,checktheNoCredentialsAvailablecheckbox,andclick OK. IfyouchecktheLeavedomainwithoutcredentialscheckbox,theprimaryCiscoISEnodeleavestheActive Directorydomain.TheActiveDirectoryadministratormustmanuallyremovethemachineaccountthatwas createdinActiveDirectoryduringthetimeofthejoin. Configure Authentication Domains ThedomaintowhichCiscoISEisjoinedtohasvisibilitytootherdomainswithwhichithasatrustrelationship. Bydefault,CiscoISEissettopermitauthenticationagainstallthosetrusteddomains.Youcanrestrict interactionwiththeActiveDirectorydeploymenttoasubsetofauthenticationdomains.Configuring authenticationdomainsenablesyoutoselectspecificdomainsforeachjoinpointsothattheauthentications areperformedagainsttheselecteddomainsonly.Authenticationdomainsimprovessecuritybecausethey instructCiscoISEtoauthenticateusersonlyfromselecteddomainsandnotfromalldomainstrustedfrom joinpoint.Authenticationdomainsalsoimproveperformanceandlatencyofauthenticationrequestprocessing becauseauthenticationdomainslimitthesearcharea(thatis,whereaccountsmatchingtoincomingusername oridentitywillbesearched).Itisespeciallyimportantwhenincomingusernameoridentitydoesnotcontain Cisco Identity Services Engine Administrator Guide, Release 1.3 256 Active Directory as an External Identity Source
domainmarkup(prefixorsuffix).Duetothesereasons,configuringauthenticationdomainsisabestpractice, andwehighlyrecommendedit. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>ActiveDirectory. Step 2ClicktheAuthenticationDomainstab. Atableappearswithalistofyourtrusteddomains.Bydefault,CiscoISEpermitsauthenticationagainstall trusteddomains. Step 3Toallowonlyspecifieddomains,uncheckUseallActiveDirectorydomainsforauthenticationcheckbox. Step 4Checkthecheckboxnexttothedomainsforwhichyouwanttoallowauthentication,andclickEnable Selected.IntheAuthenticatecolumn,thestatusofthisdomainchangestoYes. Youcanalsodisableselecteddomains. Step 5ClickShowUnusableDomainstoviewalistofdomainsthatcannotbeused.Unusabledomainsaredomains thatCiscoISEcannotuseforauthenticationduetoreasonssuchasone-waytrust,selectiveauthentication andsoon. What to Do Next ConfigureActiveDirectoryusergroups. Configure Active Directory User Groups YoumustconfigureActiveDirectoryusergroupsforthemtobeavailableforuseinauthorizationpolicies. Internally,CiscoISEusessecurityidentifiers(SIDs)tohelpresolvegroupnameambiguityissuesandto enhancegroupmappings.SIDprovidesaccurategroupassignmentmatching. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>ActiveDirectory. Step 2ClicktheGroupstab. Step 3Dooneofthefollowing: a)ChooseAdd>SelectGroupsFromDirectorytochooseanexistinggroup. b)ChooseAdd>AddGrouptomanuallyaddagroup.YoucaneitherprovidebothgroupnameandSID orprovideonlythegroupnameandpressFetchSID. Donotusedoublequotes(”)inthegroupnamefortheuserinterfacelogin. Step 4Ifyouaremanuallyselectingagroup,youcansearchforthemusingafilter.Forexample,enteradmin*as thefiltercriteriaandclickRetrieveGroupstoviewusergroupsthatbeginwithadmin.Youcanalsoenter theasterisk(*)wildcardcharactertofiltertheresults.Youcanretrieveonly500groupsatatime. Step 5Checkthecheckboxesnexttothegroupsthatyouwanttobeavailableforuseinauthorizationpoliciesand clickOK. Step 6Ifyouchoosetomanuallyaddagroup,enteranameandSIDforthenewgroup. Step 7ClickOK. Step 8ClickSave. Cisco Identity Services Engine Administrator Guide, Release 1.3 257 Active Directory as an External Identity Source
Ifyoudeleteagroupandcreateanewgroupwiththesamenameasoriginal,youmustclickUpdate SIDValuestoassignnewSIDtothenewlycreatedgroup.Afteranupgrade,theSIDsareautomatically updatedafterthefirstjoin. Note What to Do Next ConfigureActiveDirectoryuserattributes. Configure Active Directory User and Machine Attributes YoumustconfigureActiveDirectoryuserandmachineattributestobeabletousetheminconditionsin authorizationpolicies. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>ActiveDirectory. Step 2ClicktheAttributestab. Step 3ChooseAdd>AddAttributetomanuallyaddaattribute,orchooseAdd>SelectAttributesFrom Directorytochoosealistofattributesfromthedirectory. Step 4Ifyouchoosetoaddattributesfromthedirectory,enterthenameofauserintheSampleUserorMachine Accountfield,andclickRetrieveAttributestoobtainalistofattributesforusers.Forexample,enter administratortoobtainalistofadministratorattributes.Youcanalsoentertheasterisk(*)wildcardcharacter tofiltertheresults. Whenyouenteranexampleusername,ensurethatyouchooseauserfromtheActiveDirectory domaintowhichtheCiscoISEisconnected.Whenyouchooseanexamplemachinetoobtain machineattributes,besuretoprefixthemachinenamewith“host/”orusetheSAM$format.For example,youmightusehost/myhost.Theexamplevaluedisplayedwhenyouretrieveattributesare providedforillustrationonlyandarenotstored. Note Step 5CheckthecheckboxesnexttotheattributesfromActiveDirectorythatyouwanttoselect,andclickOK. Step 6Ifyouchoosetomanuallyaddanattribute,enteranameforthenewattribute. Step 7ClickSave. Modify Password Changes, Machine Authentications, and Machine Access Restriction Settings Before You Begin YoumustjoinCiscoISEtotheActiveDirectorydomain.Formoreinformation,seeAddanActiveDirectory JoinPointandJoinCiscoISENodetotheJoinPoint,onpage254. Cisco Identity Services Engine Administrator Guide, Release 1.3 258 Active Directory as an External Identity Source
Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>ActiveDirectory. Step 2CheckthecheckboxnexttotherelevantCiscoISEnodeandclickEdit. Step 3ClicktheAdvancedSettingstab. Step 4Modifyasrequired,thePasswordChange,MachineAuthentication,andMachineAccessRestrictions(MARs) settings. Theseoptionsareenabledbydefault. Step 5ChecktheUseKerberosforPlainTextAuthenticationscheckboxifyouwanttouseKerberosforplain-text authentications.ThedefaultandrecommendedoptionisMS-RPC.KerberosisusedinISE1.2. Support for Active Directory Multi-Join Configuration CiscoISEsupportsmultiplejoinstoActiveDirectorydomains.CiscoISEsupportsupto50ActiveDirectory joins.CiscoISEcanconnectwithmultipleActiveDirectorydomainsthatdonothaveatwo-waytrustorhave zerotrustbetweenthem.ActiveDirectorymulti-domainjoincomprisesasetofdistinctActiveDirectory domainswiththeirowngroups,attributes,andauthorizationpoliciesforeachjoin. Youcanjointhesameforestmorethanonce,thatis,youcanjoinmorethanonedomaininthesameforest, ifnecessary. CiscoISEnowallowstojoindomainswithone-waytrust.Thisoptionhelpsbypassthepermissionissues causedbyaone-waytrust.Youcanjoineitherofthetrusteddomainsandhencebeabletoseebothdomains. •JoinPoint—InCiscoISE,eachindependentjointoanActiveDirectorydomainiscalledajoinpoint. TheActiveDirectoryjoinpointisanCiscoISEidentitystoreandcanbeusedinauthenticationpolicy. Ithasanassociateddictionaryforattributesandgroups,whichcanbeusedinauthorizationconditions. •Scope—AsubsetofActiveDirectoryjoinpointsgroupedtogetheriscalledascope.Youcanusescopes inauthenticationpolicyinplaceofasinglejoinpointandasauthenticationresults.Scopesareusedto authenticateusersagainstmultiplejoinpoints.Insteadofhavingmultiplerulesforeachjoinpoint,if youuseascope,youcancreatethesamepolicywithasingleruleandsavethetimethatCiscoISEtakes toprocessarequestandhelpimproveperformance.Ajoinpointcanbepresentinmultiplescopes.A scopecanbeincludedinanidentitysourcesequence.Youcannotusescopesinanauthorizationpolicy conditionbecausescopesdonothaveanyassociateddictionaries. WhenyouperformafreshCiscoISEinstall,bydefaultnoscopesexist.Thisiscalledthenoscopemode. Whenyouaddascope,CiscoISEentersmulti-scopemode.Ifyouwant,youcanreturntonoscope mode.AllthejoinpointswillbemovedtotheActiveDirectoryfolder. •Initial_ScopeisanimplicitscopethatisusedtostoretheActiveDirectoryjoinpointsthatwere addedinnoscopemode.Whenmulti-scopemodeisenabled,alltheActiveDirectoryjoinpoints moveintotheautomaticallycreatedInitial_Scope.YoucanrenametheInitial_Scope. •All_AD_Instancesisabuilt-inpseudoscopethatisnotshownintheActiveDirectoryconfiguration. Itisonlyvisibleasanauthenticationresultinpolicyandidentitysequences.Youcanselectthis scopeifyouwanttoselectallActiveDirectoryjoinpointsconfiguredinCiscoISE. Cisco Identity Services Engine Administrator Guide, Release 1.3 259 Active Directory as an External Identity Source
Create a New Scope to Add Active Directory Join Points Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>ActiveDirectory. Step 2ClickScopeMode. AdefaultscopecalledInitial_Scopeiscreated,andallthecurrentjoinpointsareplacedunderthisscope. Step 3Tocreatemorescopes,clickAdd. Step 4Enteranameandadescriptionforthenewscope. Step 5ClickSubmit. Identity Rewrite IdentityrewriteisanadvancedfeaturethatdirectsCiscoISEtomanipulatetheidentitybeforeitispassedto theexternalActiveDirectorysystem.Youcancreaterulestochangetheidentitytoadesiredformatthat includesorexcludesadomainprefixand/orsuffixorotheradditionalmarkupofyourchoice. Identityrewriterulesareappliedontheusernameorhostnamereceivedfromtheclient,beforebeingpassed toActiveDirectory,foroperationssuchassubjectsearches,authentication,andauthorizationqueries.Cisco ISEwillmatchtheconditiontokensandwhenthefirstonematches,CiscoISEstopsprocessingthepolicy andrewritestheidentitystringaccordingtotheresult. Duringtherewrite,everythingenclosedinsquarebracket[](suchas[IDENTITY])isavariablethatisnot evaluatedontheevaluationsidebutinsteadaddedwiththestringthatmatchesthatlocationinthestring. Everythingwithoutthebracketsisevaluatedasafixedstringonboththeevaluationsideandtherewriteside oftherule. Thefollowingaresomeexamplesofidentityrewrite,consideringthattheidentityenteredbytheuseris ACME\jdoe: •IfidentitymatchesACME\[IDENTITY],rewriteas[IDENTITY]. Theresultwouldbejdoe.ThisruleinstructsCiscoISEtostripallusernameswiththeACMEprefix. •IftheidentitymatchesACME\[IDENTITY],rewriteas[IDENTITY]@ACME.com. Theresultwouldbejdoe@ACME.com.ThisruleinstructsCiscoISEtochangetheformatfromprefix forsuffixnotationorfromNetBIOSformattoUPNformats. •IftheidentitymatchesACME\[IDENTITY],rewriteasACME2\[IDENTITY]. TheresultwouldbeACME2\jdoe.ThisruleinstructsCiscoISEtochangeallusernameswithacertain prefixtoanalternateprefix. •Iftheidentitymatches[ACME]\jdoe.USA,rewriteas[IDENTITY]@[ACME].com. Theresultwouldbejdoe\ACME.com.ThisruleinstructsCiscoISEtostriptherealmafterthedot,in thiscasethecountryandreplaceitwiththecorrectdomain. •IftheidentitymatchesE=[IDENTITY],rewriteas[IDENTITY]. Cisco Identity Services Engine Administrator Guide, Release 1.3 260 Active Directory as an External Identity Source
Theresultwouldbejdoe.Thisisanexamplerulethatcanbecreatedwhenanidentityisfromacertificate, thefieldisanemailaddress,andActiveDirectoryisconfiguredtosearchbySubject.Thisruleinstructs CiscoISEtoremove‘E=’. •IftheidentitymatchesE=[EMAIL],[DN],rewriteas[DN]. [email protected],CN=jdoe,DC=acme,DC=comto pureDN,CN=jdoe,DC=acme,DC=com.Thisisanexamplerulethatcanbecreatedwhenidentityis takenfromacertificatesubjectandActiveDirectoryisconfiguredtosearchuserbyDN.Thisrule instructsCiscoISEtostripemailprefixandgenerateDN. Thefollowingaresomecommonmistakeswhilewritingtheidentityrewriterules: •Iftheidentitymatches[DOMAIN]\[IDENTITY],rewriteas[IDENTITY]@DOMAIN.com. [email protected][DOMAIN]insquarebrackets[] ontherewritesideoftherule. •IftheidentitymatchesDOMAIN\[IDENTITY],rewriteas[IDENTITY]@[DOMAIN].com. Hereagain,[email protected][DOMAIN]insquare brackets[]ontheevaluationsideoftherule. IdentityrewriterulesarealwaysappliedwithinthecontextofanActiveDirectoryjoinpoint.Evenifascope isselectedastheresultofanauthenticationpolicy,therewriterulesareappliedforeachActiveDirectory joinpoint.TheserewriterulesalsoappliesforidentitiestakenfromcertificatesifEAP-TLSisbeingused. Enable Identity Rewrite Thisconfigurationtaskisoptional.Youcanperformittoreduceauthenticationfailuresthatcanarise becauseofvariousreasonssuchasambiguousidentityerrors. Note Before You Begin YoumustjoinCiscoISEtotheActiveDirectorydomain. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>ActiveDirectory. Step 2ClicktheAdvancedSettingstab. Step 3UndertheIdentityRewritesection,choosewhetheryouwanttoapplytherewriterulestomodifyusernames. Step 4Enterthematchconditionsandtherewriteresults.Youcanremovethedefaultrulethatappearsandenterthe ruleaccordingtoyourrequirement.CiscoISEprocessesthepolicyinorder,andthefirstconditionthatmatches therequestusernameisapplied.Youcanusethematchingtokens(textcontainedinsquarebrackets)totransfer elementsoftheoriginalusernametotheresult.Ifnoneoftherulesmatch,theidentitynameremainsunchanged. YoucanclicktheLaunchTestbuttontopreviewtherewriteprocessing. Cisco Identity Services Engine Administrator Guide, Release 1.3 261 Active Directory as an External Identity Source
Identity Resolution Settings Sometypeofidentitiesincludeadomainmarkup,suchasaprefixorasuffix.Forexample,inaNetBIOS identitysuchasACME\jdoe,“ACME”isthedomainmarkupprefix,similarlyinaUPNidentitysuchas [email protected],“acme.com”isthedomainmarkupsuffix.DomainprefixshouldmatchtotheNetBIOS (NTLM)nameoftheActiveDirectorydomaininyourorganizationanddomainsuffixshouldmatchtothe DNSnameofActiveDirectorydomainortothealternativeUPNsuffixinyourorganization.Forexample jdoe@gmail.comistreatedaswithoutdomainmarkupbecausegmail.comisnotaDNSnameofActive Directorydomain. Theidentityresolutionsettingsallowsyoutoconfigureimportantsettingstotunethesecurityandperformance balancetomatchyourActiveDirectorydeployment.Youcanusethesesettingstotuneauthenticationsfor usernamesandhostnameswithoutdomainmarkup.IncaseswhenCiscoISEisnotawareoftheuser'sdomain, itcanbeconfiguredtosearchtheuserinalltheauthenticationdomains.Eveniftheuserisfoundinone domain,CiscoISEwillwaitforallresponsesinordertoensurethatthereisnoidentityambiguity.Thismight bealengthyprocess,subjecttothenumberofdomains,latencyinthenetwork,load,andsoon. Avoid Identity Resolution Issues Itishighlyrecommendedtousefullyqualifiednames(thatis,nameswithdomainmarkup)forusersand hostsduringauthentication.Forexample,UPNsandNetBIOSnamesforusersandFQDNSPNsforhosts. Thisisespeciallyimportantifyouhitambiguityerrorsfrequently,suchas,severalActiveDirectoryaccounts matchtotheincomingusername;forexample,[email protected] [email protected],usingfullyqualifiednamesistheonlywaytoresolveissue.Inothers, itmaybesufficienttoguaranteethattheusershaveuniquepasswords.So,itismoreefficientandleadsto lesspasswordlockoutissuesifuniqueidentitiesareusedinitially. Configure Identity Resolution Settings Thisconfigurationtaskisoptional.Youcanperformittoreduceauthenticationfailuresthatcanarise becauseofvariousreasonssuchasambiguousidentityerrors. Note Before You Begin YoumustjoinCiscoISEtotheActiveDirectorydomain. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>ActiveDirectory. Step 2ClicktheAdvancedSettingstab. Step 3DefinethefollowingsettingsforidentityresolutionforusernamesormachinenamesundertheIdentity Resolutionsection.Thissettingprovidesyouadvancedcontrolforusersearchandauthentication. Thefirstsettingisfortheidentitieswithoutamarkup.Insuchcases,youcanselectanyofthefollowing options: •Rejecttherequest—Thisoptionwillfailtheauthenticationforuserswhodonothaveanydomain markups,suchasaSAMname.ThisisusefulincaseofmultijoindomainswhereCiscoISEwillhave Cisco Identity Services Engine Administrator Guide, Release 1.3 262 Active Directory as an External Identity Source
tolookupfortheidentityinallthejoinedglobalcatalogs,whichmightnotbeverysecure.Thisoption forcestheuserstousenameswithdomainmarkups. •Onlysearchinthe“AuthenticationDomains”fromthejoinedforest—Thisoptionwillsearchfor theidentityonlyinthedomainsintheforestofthejoinpointwhicharespecifiedintheauthentication domainssection.ThisisthedefaultoptionandidenticaltoCiscoISE1.2behaviorforSAMaccount names. •Searchinallthe“AuthenticationDomains”sections—Thisoptionwillsearchfortheidentityinall authenticationdomainsinallthetrustedforests.Thismightincreaselatencyandimpactperformance. TheselectionismadebasedonhowtheauthenticationdomainsareconfiguredinCiscoISE.Ifonlyspecific authenticationdomainsareselected,onlythosedomainswillbesearched(forboth“joinedforest”or“all forests”selections). ThesecondsettingisusedifCiscoISEcannotcommunicatewithallGlobalCatalogs(GCs)thatitneedsto inordertocomplywiththeconfigurationspecifiedinthe“AuthenticationDomains”section.Insuchcases, youcanselectanyofthefollowingoptions: •Proceedwithavailabledomains—Thisoptionwillproceedwiththeauthenticationifitfindsamatch inanyoftheavailabledomains. •Droptherequest—Thisoptionwilldroptheauthenticationrequestiftheidentityresolutionencounters someunreachableorunavailabledomain. Test Users for Active Directory Authentication TheTestUsertoolcanbeusedtoverifyuserauthenticationfromActiveDirectory.Youcanalsofetchgroups andattributesandexaminethem.Youcanrunthetestforasinglejoinpointorforscopes. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>ActiveDirectory. Step 2Chooseoneofthefollowingoptions: •Torunthetestonalljoinpoints,chooseAdvancedTools>TestUserforAllJoinPoints. •Torunthetestforaspecificjoinpoint,selectthejointpointandclickEdit.SelecttheCiscoISEnode andclickTestUser. Step 3Entertheusernameandpasswordoftheuser(orhost)inActiveDirectory. Step 4Choosetheauthenticationtype.PasswordentryinStep3isnotrequiredifyouchoosetheLookupoption. Step 5SelecttheCiscoISEnodeonwhichyouwanttorunthistest,ifyouarerunningthistestforalljoinpoints. Step 6ChecktheRetrieveGroupsandAttributescheckboxesifyouwanttoretrievethegroupsandattributesfrom ActiveDirectory. Step 7ClickTest. Cisco Identity Services Engine Administrator Guide, Release 1.3 263 Active Directory as an External Identity Source
Theresultandstepsofthetestoperationaredisplayed.Thestepscanhelptoidentifythefailurereasonand troubleshoot. Delete Active Directory Configurations YoushoulddeleteActiveDirectoryconfigurationsifyouarenotgoingtouseActiveDirectoryasanexternal identitysource.DonotdeletetheconfigurationifyouwanttojoinanotherActiveDirectorydomain.Youcan leavethedomaintowhichyouarecurrentlyjoinedandjoinanewdomain. Before You Begin EnsurethatyouhavelefttheActiveDirectorydomain. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>ActiveDirectory. Step 2CheckthecheckboxnexttotheconfiguredActiveDirectory. Step 3CheckandensurethattheLocalNodestatusislistedasNotJoined. Step 4ClickDelete. YouhaveremovedtheconfigurationfromtheActiveDirectorydatabase.IfyouwanttouseActiveDirectory atalaterpointintime,youcanresubmitavalidActiveDirectoryconfiguration. View Active Directory Joins for a Node YoucanusetheNodeViewbuttonontheActiveDirectorypagetoviewthestatusofallActiveDirectory joinpointsforagivenCiscoISEnodeoralistofalljoinpointsonallCiscoISEnodes. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>ActiveDirectory. Step 2ClickNodeView. Step 3SelectanodefromtheISENodedrop-downlist. ThetableliststhestatusofActiveDirectorybynode.IftherearemultiplejoinpointsandmultipleCiscoISE nodesinadeployment,thistablemaytakeseveralminutestoupdate. Step 4ClickthejoinpointNamelinktogotothatActiveDirectoryjoinpointpageandperformotherspecificactions. Step 5ClickthelinkintheDiagnosticSummarycolumntogototheDiagnosticToolspagetotroubleshootspecific issues.Thediagnostictooldisplaysthelatestdiagnosticsresultsforeachjoinpointpernode. Cisco Identity Services Engine Administrator Guide, Release 1.3 264 Active Directory as an External Identity Source