Cisco Ise 13 User Guide
Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.
Page 301
Step 4CheckthecheckboxnexttothenewActiveDirectoryjoinpointthatyoucreatedandclickEdit,orclickon thenewActiveDirectoryjoinpointfromthenavigationpaneontheleft.Thedeploymentjoin/leavetableis displayedwithalltheCiscoISEnodes,thenoderoles,andtheirstatus. Step 5CheckthecheckboxnexttotherelevantCiscoISEnodesandclickJointojointheCiscoISEnodetothe ActiveDirectorydomain. Youmustdothisexplicitlyeventhoughyousavedtheconfiguration.TojoinmultipleCiscoISEnodestoa...
Page 302
Leave the Active Directory Domain IfyounolongerneedtoauthenticateusersormachinesfromthisActiveDirectorydomainorfromthisjoin point,youcanleavetheActiveDirectorydomain. WhenyouresettheCiscoISEapplicationconfigurationfromthecommand-lineinterfaceorrestore configurationafterabackuporupgrade,itperformsaleaveoperation,disconnectingtheCiscoISEnodefrom theActiveDirectorydomain,ifitisalreadyjoined.However,theCiscoISEnodeaccountisnotremoved...
Page 303
domainmarkup(prefixorsuffix).Duetothesereasons,configuringauthenticationdomainsisabestpractice, andwehighlyrecommendedit. Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>ActiveDirectory. Step 2ClicktheAuthenticationDomainstab. Atableappearswithalistofyourtrusteddomains.Bydefault,CiscoISEpermitsauthenticationagainstall trusteddomains. Step 3Toallowonlyspecifieddomains,uncheckUseallActiveDirectorydomainsforauthenticationcheckbox. Step...
Page 304
Ifyoudeleteagroupandcreateanewgroupwiththesamenameasoriginal,youmustclickUpdate SIDValuestoassignnewSIDtothenewlycreatedgroup.Afteranupgrade,theSIDsareautomatically updatedafterthefirstjoin. Note What to Do Next ConfigureActiveDirectoryuserattributes. Configure Active Directory User and Machine Attributes YoumustconfigureActiveDirectoryuserandmachineattributestobeabletousetheminconditionsin authorizationpolicies. Procedure Step...
Page 305
Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>ActiveDirectory. Step 2CheckthecheckboxnexttotherelevantCiscoISEnodeandclickEdit. Step 3ClicktheAdvancedSettingstab. Step 4Modifyasrequired,thePasswordChange,MachineAuthentication,andMachineAccessRestrictions(MARs) settings. Theseoptionsareenabledbydefault. Step 5ChecktheUseKerberosforPlainTextAuthenticationscheckboxifyouwanttouseKerberosforplain-text...
Page 306
Create a New Scope to Add Active Directory Join Points Procedure Step 1ChooseAdministration>IdentityManagement>ExternalIdentitySources>ActiveDirectory. Step 2ClickScopeMode. AdefaultscopecalledInitial_Scopeiscreated,andallthecurrentjoinpointsareplacedunderthisscope. Step 3Tocreatemorescopes,clickAdd. Step 4Enteranameandadescriptionforthenewscope. Step 5ClickSubmit. Identity Rewrite IdentityrewriteisanadvancedfeaturethatdirectsCiscoISEtomanipulatetheidentitybeforeitispassedto...
Page 307
![Page 307
Theresultwouldbejdoe.Thisisanexamplerulethatcanbecreatedwhenanidentityisfromacertificate,
thefieldisanemailaddress,andActiveDirectoryisconfiguredtosearchbySubject.Thisruleinstructs
CiscoISEtoremove‘E=’.
•IftheidentitymatchesE=[EMAIL],[DN],rewriteas[DN].
ThisrulewillconvertcertificatesubjectfromE=jdoe@acme.com,CN=jdoe,DC=acme,DC=comto
pureDN,CN=jdoe,DC=acme,DC=com.Thisisanexamplerulethatcanbecreatedwhenidentityis
takenfromacertificatesubjectandActiveDirectoryisconfiguredtosearchuserbyDN.Thisrule...](http://img.usermanuals.tech/thumb/17/104725/w300_ise-13-user-guide-1524841621_d-306.png "Page 307
Theresultwouldbejdoe.Thisisanexamplerulethatcanbecreatedwhenanidentityisfromacertificate,
thefieldisanemailaddress,andActiveDirectoryisconfiguredtosearchbySubject.Thisruleinstructs
CiscoISEtoremove‘E=’.
•IftheidentitymatchesE=[EMAIL],[DN],rewriteas[DN].
ThisrulewillconvertcertificatesubjectfromE=jdoe@acme.com,CN=jdoe,DC=acme,DC=comto
pureDN,CN=jdoe,DC=acme,DC=com.Thisisanexamplerulethatcanbecreatedwhenidentityis
takenfromacertificatesubjectandActiveDirectoryisconfiguredtosearchuserbyDN.Thisrule...")
Theresultwouldbejdoe.Thisisanexamplerulethatcanbecreatedwhenanidentityisfromacertificate, thefieldisanemailaddress,andActiveDirectoryisconfiguredtosearchbySubject.Thisruleinstructs CiscoISEtoremove‘E=’. •IftheidentitymatchesE=[EMAIL],[DN],rewriteas[DN]. [email protected],CN=jdoe,DC=acme,DC=comto pureDN,CN=jdoe,DC=acme,DC=com.Thisisanexamplerulethatcanbecreatedwhenidentityis takenfromacertificatesubjectandActiveDirectoryisconfiguredtosearchuserbyDN.Thisrule...
Page 308
Identity Resolution Settings Sometypeofidentitiesincludeadomainmarkup,suchasaprefixorasuffix.Forexample,inaNetBIOS identitysuchasACME\jdoe,“ACME”isthedomainmarkupprefix,similarlyinaUPNidentitysuchas [email protected],“acme.com”isthedomainmarkupsuffix.DomainprefixshouldmatchtotheNetBIOS (NTLM)nameoftheActiveDirectorydomaininyourorganizationanddomainsuffixshouldmatchtothe DNSnameofActiveDirectorydomainortothealternativeUPNsuffixinyourorganization.Forexample...
Page 309
tolookupfortheidentityinallthejoinedglobalcatalogs,whichmightnotbeverysecure.Thisoption forcestheuserstousenameswithdomainmarkups. •Onlysearchinthe“AuthenticationDomains”fromthejoinedforest—Thisoptionwillsearchfor theidentityonlyinthedomainsintheforestofthejoinpointwhicharespecifiedintheauthentication domainssection.ThisisthedefaultoptionandidenticaltoCiscoISE1.2behaviorforSAMaccount names. •Searchinallthe“AuthenticationDomains”sections—Thisoptionwillsearchfortheidentityinall...
Page 310
Theresultandstepsofthetestoperationaredisplayed.Thestepscanhelptoidentifythefailurereasonand troubleshoot. Delete Active Directory Configurations YoushoulddeleteActiveDirectoryconfigurationsifyouarenotgoingtouseActiveDirectoryasanexternal identitysource.DonotdeletetheconfigurationifyouwanttojoinanotherActiveDirectorydomain.Youcan leavethedomaintowhichyouarecurrentlyjoinedandjoinanewdomain. Before You Begin EnsurethatyouhavelefttheActiveDirectorydomain. Procedure Step...