LabMinutes# SEC0033 - Cisco ISE 1.1 Active Directory (AD) Integration and Identity Source Sequence

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to lab - calm in this video I'm going to show you how to integrate iced to Windows Active Directory and how to configure identity to our sequence most companies already have AD infrastructure and it just makes sense to utilize that same database for user authentication instead of maintaining a separate one on Ice in addition you'll be able to grant user access privileges based on user group membership or certain ad attributes so in this lab we still have a very simple setup of an ice server running version 1 1 2 and then IP of dot 1 0 2 and we also have a domain controller slash DNS at IP dot 40 ok so before we get started you want to make sure that there's certain requirements are met first you want to make sure that your I server name doesn't exceed 15 character which is limited by the windows so second you want to make sure your dns is configured properly so you can perform name resolution and third as always you need to make sure your time is properly synchronized with the ntp server ok now we're going to create a account price to use to join the ad so instead of using an admin username password as the best practice you probably want to create a special in production create a dedicated account that eyes can use here we already create an account call ice ad with the actual user name is i underscore ad and all it needs this membership to a domain users which is the default that that you have when you created the account okay then you make sure the password would never expired so once you have the setup we can now proceed with configuration oh nice so here once you've locked in to the server you would go to administration external ID any sources and here since we're going to be dealing with Active Directory you select Active Directory first thing you put is the domain name so here our domain name is that minutes com and you can name the identity stores to whatever you like we're just going to leave a default of ad one so go ahead and save config right now it's trying to do name resolution if your DNS it's not properly configure it probably fail right here but since we have a DNS server configure it we now on to the next step so here it said ice node role is to stand alone as not yet joined to the domain so what you can do just to test out your account can do a basic test with the username ice ad and the password okay looks like I've used a different password there so let me try again basic tests okay you have a password and here still say fail however we get a more descriptive reason it said clock skew is too great between the computer and domain controller just make sure NTP and synchronized time to the domain controller so if you look at the time right now is 12:45 and let's set C we can lock into ice and look at half what the time did have right now okay go show clock and see the time is not even close so right here I purposely misconfigure the time so you guys can see the errors that you will get when you have a clock or a time mismatch so now we're just going to go and manually adjust the time so change date and time and let's see okay let's do 557 okay so now that we have time adjusted let's go ahead and test the connection one more time okay now that we have a success with the time currently synced you can also do a detailed test and you will get a whole lot more information returned from the Active Directory so as the fqdn so on and so forth okay so we we now know that the account is good and again all I need is just the domain users if you get a different result um I want you to what might want to need to raise the privilege but here it looks like we are working okay with the domain users now we're going to go ahead and join the ice to ad okay so the whole process is very similar to joining a computer to the domain so now we have successfully join so it completed and now we are connected to the domain controller and if you go to the domain controller computer under the computers you see our server show up as just looks like any other machine that has been joined in the domain so alum - is one right there okay now we're going to move on to the next tab which is advanced settings so here we have a couple of checkboxes that we can do first we can allow user to change the password if you want to do that leave it checked next if you want to do machine authentication for Windows you can leave it checked as well this is usually useful to make sure the computer the user is using or accessing from over there that's the culprit asset or whether or not it's actually it's been a part of the domain for enable machine access restriction that's just allow eyes to correlate as far as the Machine authentication to the extra user authentication to make sure the user is actually accessing using an authorized computer aging time in hours is how long you want is to cache that machine with indication so by default it's at 6 hours so you can adjust it let's say if you want to make it longer and save the days usually eight eight hours or nine hours a day of working hours so you can just do 12 to make sure a user doesn't get where the cash doesn't expire the meal of the day so hopefully expired by the time the user left the network and they will come back when they have to be attending 8:00 the next morning so 12 might be a good good value here so go ahead and save configuration okay now let's move on to the third tab which is groups so now the eyes has been joined to the domain Isis capability to query the Active Directory for all different user groups that I can use for authentication so here you go an app and select groups for the domain we're at lab minutes comm and we got by default as a wildcard which is a strict if you go ahead and go retrieve groov you can see we're now have all the user groups that's in the active directory okay but if your active directory tends to be large and it's getting difficult to find I'll locate the group that you want to add then you can use this filter right here a string means wildcard but we want to let's say you want something start with the word domain so we're the main user domain computer as what we're looking for when you go ahead and retrieve groups and there's just filter off everything that does not start with the word domain so here we're going to add domain computer and domain user stats we that's what we're going to use later on in our future lab okay so we'll add the last tab is attributes and this is if you want to use attributes as part of your condition for authentication then let's use our ice ad accountants example can go retrieve attributes and they you can see at different ad attributes with the actual attributes names that you can add for example let's see you our sign with cn okay so go ahead and save config now that the ice has fully integrated with Active Directory it's ready to be used for authentication by itself but if you also want to for example use local up an local identity source as well as private indications for example when users indicate you want eyes to look into ad before checking the local database then you need to configure what's called energy source sequence okay so here by default there are three identity source sequence configured already so you're going to add any one we'll click Add let's say we want this one to check the ad database first before checking local so we call it ad and then local you can see how I'd like to embed the name into the the the actual name of VM or anything that you can figure it so basically here we use LM so you know when you look at it you know that's what you can figure yourself and not as it's not the system default okay so here you can select the authentication profile for certificate if you use certificate but here we have added the is to ad is called ad one so you add that as a first priority in the order and then we add the internal user that's the next source to check okay and here the last thing that you able to change is if you what happen if the authentication status comes back us process errors so you just either you deny access or just treat it as the user not found they will basically go down to the next option or a source so just leave it that default so we now save let's go ahead and add one more this time we want to check the local first so ad and then local and then ad and we just need all we need just to reverse the order you can use the shift key to select multiple options and move it over to the right so internal user and then ad one they'll go submit without actually going in and start configuring policies just want to show you where these identity source is used for for example if you go policies and intend ocation see we're here as part of authentication policies once they are some match and then at the end it would determine which identity source that the eyes wants to use for for user database so for example this one right now is internal endpoints let's take a quick look if you want to change that and here you have an option of ad one that means it's just going to check the active directory and then stop if the user is not found or you can use the the sequence that we configured just now so you can either tell it to go ad and then local and local to ad so that's for telling eyes which identity source to use as far as the user groups that we pull earlier from ad basically this is going to be as part of your condition for example authorization condition and for example you said you want the user to be a member of certain ad groups before you grant them certain access then here's how you do it just want to show you quickly so that's inserting rule above and as part of condition will create a new condition with advanced option and right here ad one with the option of external groups and just to show Rick we can also see the CN as well because we added as the ad attributes that we want to use also earlier the external group equal something and since we added two groups which is domain computers and domain users this what it shows up and you just select the one that you like to use okay okay so that's it that wraps up our video on eyes integration with Active Directory and how to configure it any source sequence and you guys can see how you can use it so thank you what for watching Labatt's com I'll see you guys in the next video
Info
Channel: Lab Minutes
Views: 29,286
Rating: undefined out of 5
Keywords: ise, active directory
Id: FKXvhBdWA1E
Channel Id: undefined
Length: 15min 44sec (944 seconds)
Published: Sun Jan 20 2013
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.