In this blog we are going to look into the integration between ISE and Active Directory. This is one of the topics that is mentioned in the ISE exam topics so I thought it would be worth covering it off in this blog.
To get started with the AD integration login to your ISE deployment and go to Administration and under Identity Management and select External Identity Sources.
Once you are inside External Identity Sources you will need to add a new Join Point Name, you can call this anything you like but I prefer to keep this the same as my active directory domain name.
ISE will now ask you for credentials to join the node to Active Directory. In my demo I’m going to be using my own AD account which has the correct rights to join the node to Active Directory, in a production environment you need to make sure you are using a Service Account with the correct rights. There is also a box to store credentials, you would want to tick this is you are going to be adding multiple domain controllers in ISE.
Once you have selected ok you should get the below message stating that the ISE node has successfully joined the domain.
Error Joining ISE to Active Directory
- The error I received was
Status: Join Operation Failed: Clock skew detected with active directory serverto resolve this issue you need to check the time on the domain controller and also ISE. If you SSH into your ISE server and run the following to find the time
Importing AD groups into ISE
We can import AD groups into ISE so that we have the ability to use them in our dot1x policy sets we will go into more detail on this subject in another article.
To import groups we do this by going to the Groups tab shown below.
We now need to select Add and then click on Select Groups From Directory.
We then want to click on Retrieve Groups, this will then display all of your groups in AD. If you have a big AD topology you may want to apply a filter. You can select multiple groups below and then press OK. The groups you have selected will now be available to be used by ISE policy.
In my next blog we will go through the process of creating Network Access Policy Sets, this will cover using the AD groups we imported above in dot1x policy.