Example: quiz answers

Active Directory Integration with Cisco ISE 2

Active Directory Integration with Cisco ISE 2.0 ActiveDirectoryConfigurationinCiscoISE2.0 2 …




Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Text of Active Directory Integration with Cisco ISE 2

Active Directory Integration with Cisco ISE CiscoISE Featuresin CiscoISE IntegratingActiveDirectoryand CiscoISE3Add an ActiveDirectoryJoin Pointand Join CiscoISE Nodeto the Join Point5Leavethe ActiveDirectoryDomain7ConfigureAuthentic ationDomains7SupportedGroupTypes8Configu reActiveDirectoryUser and MachineAttributes9Test Usersfor ActiveDirectoryAuthentication10Supportfo r ActiveDirectoryMulti-JoinConfiguration10 Read-OnlyDomainControllers12ActiveDirect orySupportedAuthenticationProtocolsand Features12AuthorizationAgainstan ActiveDirectoryInstance15IdentityRewrite 17IdentityResolutionSettings19SampleScen arios20TroubleshootingTools24AD ConnectorInternalOperations26Revised: October 21, 2015,Active Directory Configuration in Cisco ISE Directory Key Features in Cisco ISE followingare someof the key featuresof ActiveDirectoryin CiscoISE :Multi-Join SupportCiscoISE supportsmultiplejoins to supportsup to 50 canconnectwith multipleActiveDirectorydomainsthat do not have a two-waytrust or have zero trust comprisesa set of distinctActiveDirectorydomainswith their own groups,attributes,and authorizationpoliciesfor each DomainsWhenCiscoISE is joinedto an ActiveDirectorydomain,it will automaticallydiscoverthe join point' ,not all domainsmay be relevantto CiscoISE for authenticationand allowsyou to selecta subsetof domainsfrom the trusteddomainsfor authenticationand subsetof domainsis isrecommendedto definethe domainswhereusersor machinesare locatedthat you intendto authenticate,as blockingdomainsthus restrictinguser authenticationsfrom also helpsoptimizeperformancebecauseyou can skip domainsthat are not relevantfor policiesand authenticationand help CiscoISE to RewriteThis featureallowsCiscoISE to modifythe usernamethat is receivedfrom the clientor a certificate,beforesendingit towardActiveDirectoryfor example,the be rewrittenas can fix a usernameor hostnamethat wouldotherwisefail to can also rewriteidentitiesin certificatesand processrequeststhat comewith sameidentityrewriterules are applicablefor incomingusernamesor machinenames,whetherthey comefrom a non-certificatebasedauthenticationor from Identity ResolutionIf the user or machinenamereceivedby CiscoISE is ambiguous,that is, it is not unique,it can causeproblemsfor userswhentheytry to caseswhenthe user does not have a domainmarkup,or whenthere are multipleidentitieswith the sameusernamein morethan one example,userAexistson domain1and anotheruserAexistson use the identityresolutionsettingto definethe scopefor the resolutionfor such to usequalifiednamessuch as UPN or ambiguityand increasesperformanceby Membership Evaluation Based on Security IdentifiersISE uses securityidentifiers(SIDs)for optimizationof are usefulfor two reasons,firstlyforefficiency(speed)whent he groupsare evaluated,and secondly, resilienceagainstdelaysif a domainis downand user is a memberof groupsfrom that deletea groupand createa new groupwith samenameas original,you must updateSIDs toassignnew SID to the Authentication Test (Test User)Test authenticationis usefulto troubleshootauthenticationand authorizationissuesfor end can use the Test User featureto test returnsthe resultsalongwith groupand attributedetails(authorizationinformatio n)that can be viewedon the ToolThe DiagnosticTool allowsyou to automaticallytest and diagnosethe ActiveDirectorydeploymentfor tool providesinformationon: The CiscoISE node on whichthe test is run Connectivityto the ActiveDirectory Detailedstatusaboutthe domain DetailedstatusaboutCiscoISE-DNSservercon nectivityThe tool providesa detailedreportfor each test that you Authentication Profile Enhancements Any subjector alternativenameattributesin the certificate(for ActiveDirectoryonly)option You can use this optionto useActiveDirectoryUPN as the usernamefor logs and try all subjectnamesand alternativenamesin a certificateto look up a optionis availableonly if you chooseActiveDirectoryas the identitysource. Only to resolveidentityambiguityoption You can use this optionsto resolveidentityissuesin can have multipleidentitiesfrom TLS the usernamesare ambiguous,for example,if there are two jdoe from an acquisition,and if the clientcertificatesare presentin ActiveDirectory, CiscoISE can use binarycomparisonto ruleout the ViewYou can use this page to view the statusof the join pointson each node in the CiscoISE node view is a read-onlypage and providesonly the page does not supportany join, leave,or test , it providesa link for each joinpointto the main join pointpage,wheretheseoperationscan be page also showsthe last diagnosticsstatusand alink to and AlarmsCiscoISE providesnew AD ConnectorOperationsreportand new alarmsin dashboardto monitorand TuningThe advancedtuningfeatureprovidesnode-specif icchangesand settingsto adjustthe parametersdeeperin the pageallowsconfigurationof preferredDCs,GCs,DC failoverparameters,and page also providetroubleshootingoptionslike not intendedfor normaladministrationflow and shouldbe used only for Integrating Active Directory and Cisco ISEThe followingare the prerequisitesto integrateActiveDirectorywith Use the NetworkTime Protocol(NTP)serversettingsto synchronizethe time betweenthe CiscoISE serverand can configureNTP settingsfrom CiscoISE CLI. If your ActiveDirectorystructurehas multidomainforestor is dividedinto multipleforests,ensurethat trust relationshipsexistbetweenthe domainto whichCiscoISE is connectedand the otherdomainsthat have user and machineinformationto whichyou need moreinformationon establishingtrust relationships,refer to MicrosoftActiveDirectorydocumentation. You must have at least one globalcatalogserveroperationaland accessibleby CiscoISE, in the domainto whichyou are Directory Account Permissions Required for Performing Various OperationsCisco ISE Machine AccountsLeave OperationsJoin OperationsFor the newlycreatedCiscoISE machineaccountthat is used to communicatetothe ActiveDirectoryconnection,thefollowingpe rmissionsare required: Abilityto changeown password Readthe user/machineobjectscorrespondingto users/machinesbeingauthenticated Querysomeparts of the ActiveDirectoryto learn aboutrequiredinformation(for example,trusteddomains,alternativeUPN suffixesand so on.) Abilityto read tokenGroupsattributeYou can precreatethe machineaccountin ActiveDirectory, and if the SAMnamematchesthe CiscoISE appliancehostname,it shouldbe locatedduringthejoin operationand multiplejoin operationsare performed,multiplemachineaccountsare maintainedinsideCiscoISE, one for each the accountthat is used to performthe leaveoperation,the followingpermissionsare required: SearchActiveDirectory(to see ifa CiscoISE machineaccountalreadyexists) RemoveCiscoISE machineaccountfrom domainIf you performa forceleave(leavewithoutthe password),it will not removethe machineaccountfrom the the accountthat is used to performthe join operation,the followingpermissionsare required: SearchActiveDirectory(to see ifa CiscoISE machineaccountalreadyexists) CreateCiscoISE machineaccountto domain(if the machineaccountdoes not alreadyexist) Set attributeson the new machineaccount(for example,CiscoISEmachineaccountpassword,S PN,dnsHostname)It is not mandatoryto be a domainadministratorto performa join credentialsused for the join or leaveoperationare not storedin CiscoISE. Only the newlycreatedCiscoISE machineaccountcredentialsare Ports That Must Be Open for CommunicationNotesAuthenticatedTargetPor t (remote-local)Protocol NoDNS Servers/ADDomainControllersRandomnumberg reaterthan or equalto 49152DNS (TCP/UDP) YesDomainControllers445MSRPCMS AD/KDCYes (Kerberos)DomainControllers88Kerberos(TC P/UDP) YesDomainControllers389LDAP(TCP/UDP) YesGlobalCatalogServers3268LDAP(GC) NoNTP Servers/DomainControllers123NTP Yes (UsingRBACcredentials)OtherISE Nodesin theDeployment80IPCDNS ServerWhileconfiguringyour DNS server, makesure that you take care of the following: All DNS serversconfiguredin CiscoISE must be able to resolveall forwardand reverseDNS queriesfor all domainsyou wishto use. All DNS servermust be able to answerSRV queriesfor DCs,GCs,and KDCswith or withoutadditionalSite information. We recommendthat you add the serverIP addressesto SRV responsesto improveperformance. Avoid usingDNS serversthatquerythe causedelaysand leak informationaboutyour networkwhenan unknownnamehas to be resolvedAdd an Active Directory Join Point and Join Cisco ISE Node to the Join PointBefore You BeginMakesure that the CiscoISE node can communicatewith the networkswherethe NTP servers,DNS servers,domaincontrollers,and globalcatalogserversare can checktheseparametersby runningthe 1ChooseAdministration>IdentityManagement >ExternalIdentitySources> 2ClickAddand enter the domainnameand identitystore pop-upappearsaskingif you want to join the newlycreatedjoin pointto the you want to configurationsavesthe ActiveDirectorydomainconfigurationglobal ly(in the primaryand secondarypolicyservicenodes),but none of the CiscoISE nodesare joinedto the 4Checkthe checkbox next to the new ActiveDirectoryjoin point that you createdand clickEdit, or click on the new ActiveDirectoryjoin pointfrom the navigationpane on the left. The deploymentjoin/leavetable is displayedwith all the CiscoISE nodes,the node roles,and their 5Checkthe checkbox next to the relevantCiscoISE nodesand clickJointo join the CiscoISE node to the must do this explicitlyeven thoughyou savedthe join multipleCiscoISE nodesto a domainin asingleoperation,the usernameand passwordof the accountto be used must be the samefor all join differentusernameand passwordsare requiredto join each CiscoISE node,the join operationshouldbe performedindividuallyfor each CiscoISE 6Enterthe ActiveDirectoryusernameand user used for the join operationshouldexist in the it existsin a differentdomainor subdomain,theusernameshouldbe notedin a UPN notation,such as 7(Optional) shouldcheckthis checkbox in case the CiscoISE node machineaccountis to be locatedin a specificOrganizationalUnit otherthan CN=Computers,DC=someDomain,DC= createsthe machineaccountunderthespecifiedorganizat ionalunit or movesit to this locationif the the organizationalunitis not specified,CiscoISE uses the valueshouldbe specifiedin ful distinguishedname(DN) syntaxmust conformto the ,such as /'+,;=<>line feed, space,andcarriagereturnmust be escapedby a backslash(\). For example,OU=CiscoISE\,US,OU=ITServers,OU= Servers\,andWorkstations,DC=someDomain,D C= the machineaccountis alreadycreated,you need not checkthis checkbox. You can also changethe locationof the machineaccountafter you join to the can selectmorethan one node to join to the the join operationis not successful,a failuremessagefor each node to view detailedlogs for that join is complete,CiscoISE checkswhetherany groupSIDSare still in the old CiscoISE so, CiscoISE automaticallystartsthe SID must ensurethat this processis mightnot be able to join CiscoISE with an ActiveDirectorydomainif the DNS SRV recordsare missing(the domaincontrollersare not advertisingtheir SRV recordsfor the domainthat you are tryingto join to). Referto the followingMicrosoftActiveDirectorydocumen tationfor troubleshootinginformation:Note to Do the Active Directory DomainIf you no longerneed to authenticateusersor machinesfrom an ActiveDirectorydomainor from this join point,you can reset the CiscoISE applicationconfigurationfrom the command-lineinterfaceor restoreconfigurationafter a backuporupgrade,it performsa leaveoperation,disconnectingthe CiscoISE node from the ActiveDirectorydomain,if it is , the CiscoISE node accountis not removedfrom the recommendthat you performa leaveoperationfrom the Adminportalwith the ActiveDirectorycredentialsbecauseit also removesthe node accountfrom the is also recommendedwhenyou changethe CiscoISE You BeginIf you leavethe ActiveDirectorydomain,but still use ActiveDirectoryas an identitysourcefor authentication(eitherdirectlyor aspart of an identitysourcesequence),authenticationsm ay 1ChooseAdministration>IdentityManagement >ExternalIdentitySources> 2Checkthe checkbox next to the CiscoISE node and 3Enterthe ActiveDirectoryusernameand password,and clickOKto leavethe domainand removethe machineaccountfrom the CiscoISE you enter the ActiveDirectorycredentials,the CiscoISE node leavesthe ActiveDirectorydomainand deletesthe CiscoISE machineaccountfrom the deletethe CiscoISE machineaccountfrom the ActiveDirectorydatabase,the ActiveDirectorycredentialsthat you providehere must have the permissionto removemachineaccountfrom 4If you do not have the ActiveDirectorycredentials,checktheNo CredentialsAvailablecheckbox, and you checktheLeavedomainwithoutcredentialsche ckbox, the primaryCiscoISE node leavesthe ActiveDirectoryadministratormust manuallyremovethe machineaccountthat was createdin ActiveDirectoryduringthe time of the Authentication DomainsThe domainto whichCiscoISE is joinedto has visibilityto otherdomainswith whichit has a trust default,CiscoISE is set to permitauthenticationagainstall can restrictinteractionwith the ActiveDirectorydeploymentto a subsetof to selectspecificdomainsfor each join pointso that the authenticationsare performedagainstthe selecteddomainsonly. Authenticationdomainsimprovessecuritybec ausetheyinstructCiscoISE to authenticateusersonly from selecteddomainsand not from all domainstrustedfrom join improveperformanceand latencyof authenticationrequestprocessingbecauseau thenticationdomainslimit the searcharea (that is, whereaccountsmatchingto incomingusernameor identitywill be searched).It is especiallyimportantwhenincomingusernameo r identitydoes not containdomainmarkup(prefixor suffix). Due to thesereasons,configuringauthenticationdo mainsisa best practice,and we 1ChooseAdministration>IdentityManagement >ExternalIdentitySources> table appearswith a list of your default,CiscoISE permitsauthenticationagainstall 3To allowonly specifieddomains,uncheckUse all ActiveDirectorydomainsfor 4Checkthe checkbox next to the domainsfor whichyou want to allowauthentication,and clickEnableSelected. In theAuthenticatecolumn,the statusof this domainchangesto can also 5ClickShowUnusableDomainsto view a list of domainsthat cannotbe domainsthat CiscoISE cannotuse for authenticationdue to reasonssuch as one-waytrust,selectiveauthenticationand so to Do NextConfigureActiveDirectoryuser Group TypesCiscoISE supportsthe followingsecuritygrouptypes: Universal Global BuiltinBuiltingroupsdo not have a uniquesecurityidentifier(SID)acrossdomai nsand to overcomethis, CiscoISE prefixestheirSIDs with the domainnameto whichthey uses the AD attributetokenGroupsto evaluatea user s machineaccountmust have permissionto read attributecan containapproximatelythe first 1015 groupsthat a user may be a memberof (theactualnumberdependson ActiveDirectoryconfigurationand can be increasedby reconfiguringActiveDirectory.) If a user is amemberof moregroupsthan this, CiscoISE does not use morethan the first 1015 in Active Directory User GroupsYou must configureActiveDirectoryuser groupsfor them to be availablefor use in , CiscoISE usessecurityidentifiers(SIDs)to help resolvegroupnameambiguityissuesand to 1ChooseAdministration>IdentityManagement >ExternalIdentitySources> 3Do one of the following:8a) ChooseAdd>SelectGroups From Directoryto choosean ) ChooseAdd>Add Groupto manuallyadd a can eitherprovideboth groupnameand SID or provideonlythe groupnameand not use doublequotes( ) in the groupnamefor the user 4If you are manuallyselectinga group,you can searchfor them usinga filter. For example,enteradmin*as the filter criteriaand clickRetrieveGroupsto view user groupsthat beginwith can also enter the asterisk(*) wildcardcharacterto filter the can retrieveonly 500 groupsat a 5Checkthe checkboxesnext to the groupsthat you want to be availablefor use in authorizationpoliciesand 6If you chooseto manuallyadd a group,enter a nameand SID for the new you deletea groupand createa new groupwith the samenameas original,you must clickUpdateSID Valuesto assignnew SID to the upgrade,the SIDs are automaticallyupdatedafter the to Do NextConfigureActiveDirectoryuser Active Directory User and Machine AttributesYou must configureActiveDirectoryuser and machineattributesto be able to use them in conditionsin 1ChooseAdministration>IdentityManagement >ExternalIdentitySources> 3ChooseAdd>Add Attributeto manuallyadd a attribute,or chooseAdd>SelectAttributesFrom Directorytochoosea list of attributesfrom the 4If you chooseto add attributesfrom the directory, enter the nameof a user in theSampleUser or MachineAccountfield,and clickRetrieveAttributesto obtaina list of attributesfor example,enteradministratorto obtainalist of can also enter the asterisk(*) wildcardcharacterto filter the enter an exampleusername,ensurethat you choosea user from the ActiveDirectorydomainto whichthe CiscoISE is choosean examplemachineto obtainmachineattributes,be sure to prefixthe machinenamewith host/ or use the SAM$ example,you mightuse examplevaluedisplayedwhenyou retrieveattributesare providedfor illustrationonly and are not 5Checkthe checkboxesnext to the attributesfrom ActiveDirectorythat you want to select,and 6If you chooseto manuallyadd an attribute,enter a namefor the new Users for Active Directory AuthenticationTest authenticationis usefulto troubleshootauthenticationand authorizationissuesfor end can use the Test User featureto verifyuser can optionallyfetch groupsand attributesand can run the test for a singlejoinpointor for 1ChooseAdministration>IdentityManagement >ExternalIdentitySources> 2Chooseone of the followingoptions: To run the test on all join points,chooseAdvancedTools>Test User for All Join Points. To run the test for a specificjoin point,selectthe joint pointand clickEdit. Selectthe CiscoISE node and 3Enterthe usernameand passwordof the user (or host) in 4Choosethe authenticationtype. Passwordentryin Step 3 is not requiredif you choosethe 5Selectthe CiscoISE node on whichyou want to run this test, if you are runningthis test for all join 6Checkthe checkboxesif you want to resultand steps of the test operationare steps can help to identifythe failurereasonand for Active Directory Multi-Join ConfigurationCiscoISE supportsmultiplejoins to supportsup to 50 canconnectwith multipleActiveDirectorydomainsthat do not have a two-waytrust or have zero trust comprisesa set of distinctActiveDirectorydomainswith their own groups,attributes,and authorizationpoliciesfor each can join the sameforestmorethan once,that is, you can join morethan one domainin the sameforest,if now allowsto join domainswith one-waytrust. This optionhelpsbypassthe permissionissuescausedby a can join eitherof the trusteddomainsand hencebe able to see both domains. Join Point In CiscoISE, each independentjoin to an ActiveDirectorydomainis calleda join ActiveDirectoryjoinpointis an CiscoISE identitystore and can be used in authenticationpolicy. It has an associateddictionaryfor attributesandgroups,whichcan be used in authorizationconditions. Scope A subsetof ActiveDirectoryjoin pointsgroupedtogetheris calleda can use scopesin authenticationpolicyin placeof a singlejoin pointand as used to authenticateusersagainstmultiplejoin havingmultiplerules for each join point,if you use a scope,you can createthe samepolicywith a singlerule andsave the time that CiscoISE takesto processa requestand help join pointcan be presentin scopecan be includedin an cannotuse scopesin an authorizationpolicyconditionbecausescope sdo not have any performa fresh CiscoISE install,by defaultno is calledthe no add ascope,CiscoISE you want,you can returnto no the join pointswill be movedtothe ActiveDirectoryfolder. Initial_Scopeis an implicitscopethat is used to store the ActiveDirectoryjoin pointsthat were addedin no enabled,all the ActiveDirectoryjoin pointsmoveinto the can renamethe Initial_Scope. All_AD_Instancesis a built-inpseudoscopethat is not shownin the is only visibleasan authenticationresultin policyand can selectthis scopeif you want to selectall ActiveDirectoryjoin pointsconfiguredin and Join Points in Identity Source Sequences and Authentication PolicyCiscoISE allowsyou to definemultipleActiveDirectoryjoin points,whereeach join pointrepresentsa connectionto a join pointcan be used in authenticationand authorizationpoliciesand in identitysequences,as pointscan be groupedto form a scopethat you can use in authenticationpolicy, as authenticationresults,and in can selectindividualjoin pointsas the resultof authenticationpolicyor identitysourcesequences,whenyou want to treat eachjoin pointas a completelyindependentgroupof policy. For example,in a multi-tenantscenario,wherethe CiscoISE deploymentsupportsindependentgroupswith their own networkdevices,networkdevicegroupscan be used for selectionof the , if ActiveDirectorydomainsare regardedas part of the sameenterprisewithoutany trust betweenthe domains,you canuse scopesto join multipledisconnectedActiveDirectorydomai nsand createa commonauthenticationpolicy. You can thus avoidthe need for everyjoin point representedby a differentidentitystore to be definedin the authenticationpolicyand to provideduplicaterules for each actualjoin pointthat is used is includedin the authenticationidentitystore for use in the are multipleidentitiesin multipledomains,wherethe usernameis example,if ausernamewithoutany domainmarkupis not uniqueand CiscoISE is configuredto use a passwordlessprotocolsuch as EAP-TLS,there are no othercriteriato locatethe right user, so CiscoISE fails the authenticationwith an ambiguousidentityerror. If youencountersuch ambiguousidentities,you can use specificscopesor join pointsin authenticationpolicyrules or use example,you can directusersof specificnetworkdevicegroupsto use a specificActiveDirectoryscopeor even asinglejoin point,to limit the , you can createa rule as follows:if the identityends with specificActiveDirectoryjoin helpsto directauthenticationsto the right join a New Scope to Add Active Directory Join PointsProcedureStep 1ChooseAdministration>IdentityManagement >ExternalIdentitySources> defaultscopecalledInitial_Scopeis created,and all the currentjoin pointsare placedunderthis 3To createmorescopes, 4Entera nameand a descriptionfor the new Domain ControllersThe followingoperationsare supportedon read-onlydomaincontrollers: Kerberosuser authentication User lookup Attributeand groupfetchActive Directory Supported Authentication Protocols and FeaturesActiveDirectorysupportsfeaturess uch as user and machineauthentications,changingActiveDir ectoryuser passwordswith followingtable lists the authenticationprotocolsand the respectivefeaturesthat are supportedby 1: Authentication Protocols Supported by Active DirectoryFeaturesAuthentication ProtocolsUser and machineauthenticationwith the abilityto changepasswordsusingEAP-FAST and PEAPwith an innermethodof MS-CHAPv2and EAP-GTCEAP-FAST and passwordbasedProtectedExtensibleAuthenti cationProtocol(PEAP)User and machineauthenticationPasswordAuthenticat ionProtocol(PAP)User and machineauthenticationMicrosoftChallengeH andshakeAuthenticationProtocolVersion1 (MS-CHAPv1)User and machineauthenticationMicrosoftChallengeH andshakeAuthenticationProtocolVersion2 (MS-CHAPv2)User and machineauthenticationExtensibleAuthentic ationProtocol-GenericToken Card(EAP-GTC) User and machineauthentication Groupsand attributesretrieval BinarycertificatecomparisonExtensibleAut henticationProtocol-TransportLayerSecuri ty(EAP-TLS) User and machineauthentication Groupsand attributesretrieval BinarycertificatecomparisonExtensibleAut henticationProtocol-FlexibleAuthenticati onvia SecureTunneling-TransportLayerSecurity(E AP-FAST-TLS)12FeaturesAuthentication Protocols User and machineauthentication Groupsand attributesretrieval BinarycertificatecomparisonProtectedExte nsibleAuthenticationProtocol-TransportLa yerSecurity(PEAP-TLS)User authenticationLightweightExtensibleAuthe nticationProtocol(LEAP)Active Directory User Authentication Process FlowWhenauthenticatingor queryinga user, CiscoISE checksthe following: MS-CHAPand PAP authenticationscheckif the user is disabled,lockedout, expiredor out of logonhoursand the authenticationfails if someof theseconditionsare true. EAP-TLSauthenticationschecksif the user is disabledor lockedout and the authenticationfails if someof , you can can set the IdentityAccessRestrictedattributeif conditionsmentionedabove(for example,user disabled)aremet. IdentityAccessRestrictedattributeis set in orderto supportlegacypoliciesand is not requiredin CiscoISE becauseauthenticationfails if such conditions(for example,user disabled)are Username FormatsThe followingare the supportedusernametypes: SAM,for example:jdoe NetBIOSprefixedSAM,for example:ACME\jdoe UPN,for Alt UPN,for Subtree,for SAMmachine,for example:laptop$ NetBIOSprefixedmachine,for example:ACME\laptop$ FQDNDNS machine,for example: Hostnameonly machine,for example:host/laptopActive Directory Password-Based AuthenticationPasswordAuthenticationProt ocol(PAP) and MicrosoftChallengeHandshakeAuthenticatio nProtocol(MS-CHAP)are be authenticatedonly by providestwo optionsfor PAP authentication-MS-RPCand MS-RPCand Kerberosare PAP authenticationis a defaultandrecommendedoptionbecause:13 It providesconsistencywith MS-CHAP It providesmoreclear error reporting It allowsmoreefficientcommunicationwith ActiveDirectory. In case of MS-RPC,CiscoISE sendsauthenticationrequeststoa domaincontrollerfrom the joineddomainonly and the domaincontrollerhandlesthe case of Kerberos,CiscoISE needsto followKerberosreferralsfrom the joineddomainto the user'saccountdomain(that is, CiscoISE needsto communicatewith all domainson the trust path from the joineddomainto the user'saccountdomain).CiscoISE examinesthe usernameformatand calls the domainmanagerto locatethe domaincontrollerfor the accountdomainis located,CiscoISE tries to authenticatethe user againstit. If the passwordmatches,the user isgrantedaccessto the very similarto user-basedauthentication,exceptif the machinenameis in format(whichis a DNS namespace)cannotbe authenticatedas is by CiscoISE and is convertedto NetBIOS-prefixedSAMformatbeforeit is Directory Certificate Retrieval for Certificate-Based AuthenticationCiscoISE supportscertificateretrievalfor user and machineauthenticationthat uses the user or machinerecordon ActiveDirectoryincludesa certificateattributeof the binarydata type. This certificateattributecan containone or identifiesthis attributeas userCertificateand does not allowyou to configureany othernamefor this retrievesthis certificateand uses it to certificateauthenticationprofiledetermin esthe field wherethe usernameis takenfrom in orderto lookupthe user in ActiveDirectoryto be used for retrievingcertificates,for example,SubjectAlternativeName(SAN)or certificate,it performsa binarycomparisonof this certificatewith the ,CiscoISE comparesthe certificatesto checkfor one that matchis found,the user or machineauthenticationis a Certificate Authentication ProfileYou must createa certificateauthenticationprofileif you want to use the ExtensibleAuthenticationProtocol-Transpo rtLayerSecurity(EAP-TLS) authenticatingvia the traditionalusernameand passwordmethod,CiscoISE comparesa certificatereceivedfrom a clientwith one in the serverto verifythe authenticityof a You BeginYou must be a SuperAdminor 1ChooseAdministration>IdentityManagement >ExternalIdentitySources>CertificateAuth enticationProfile> 2Enterthe nameand an optionaldescriptionfor the 3Selectan identitystore from the not requirean you want binarycomparisoncheckingfor the certificates,you must selectan you selectActiveDirectoryas an identitysource,subjectand commonnameandsubjectalternativename(all values)can be used to look up a 4Selectthe use of identityfromCertificateAttributeorAny Subjector AlternativeNameAttributesin the will be used in logs and for you chooseAny Subjector AlternativeNameAttributesin the Certificate, ActiveDirectoryUPN will be used asthe usernamefor logs and all subjectnamesand alternativenamesin a certificatewill be tried to look up a user. This optionis availableonly if you chooseActiveDirectoryas the 5Choosewhenyou want toMatchClientCertificateAgainstCertifica teIn IdentityStore. For this you must selectanidentitysource(LDAPor ActiveDirectory.) If you selectActiveDirectory, you can chooseto matchcertificatesonly toresolveidentityambiguity. Never This optionneverperformsa binarycomparison. Only to resolveidentityambiguity This optionperformsthe binarycomparisonof clientcertificateto certificateon accountin ActiveDirectoryonly if ambiguityis example,severalActiveDirectoryaccountsma tchingto identitynamesfrom certificateare found. Alwaysperformbinarycomparison This optionalwaysperformsthe binarycomparisonof clientcertificatetocertificateon accountin identitystore (ActiveDirectoryor LDAP).Step 6ClickSubmitto add the certificateauthenticationprofileor save the Password Changes, Machine Authentications, and Machine Access Restriction SettingsBefore You BeginYou must join CiscoISE to the 1ChooseAdministration>IdentityManagement >ExternalIdentitySources> 3Modifyas required,the PasswordChange,MachineAuthentication,and MachineAccessRestrictions(MARs) enabledby 4ChecktheUse Kerberos for PlainText Authenticationscheckbox if you want to use Kerberosfor defaultand recommendedoptionis used in ISE Against an Active Directory InstanceThe followingsectionsexplainthe mechanismthat CiscoISE uses to authorizea user or a Directory Attribute and Group Retrieval for Use in Authorization PoliciesCiscoISE retrievesuser or machineattributesand groupsfrom ActiveDirectoryfor use in be used in CiscoISE policiesand determinethe authorizationlevel for a user or retrievesuser and machineActiveDirectoryattributesafter successfulauthenticationand can also retrieveattributesfor an authorizationthat is may use groupsin externalidentitystoresto assignpermissionsto users or computers;for example,to map users to shouldnote the followingrestrictionson groupmembershipsin ActiveDirectory: Policyrule conditionsmay referenceany of the following:a user s or computer s primarygroup,the groupsof whicha user orcomputeris a directmember, or indirect(nested)groups. Domainlocal groupsoutsidea user s or computer s accountdomainare not can use the valueof the ActiveDirectoryattribute,msRadiusFramedI PAddress,as an IP IP addresscan be sent to a networkaccessserver(NAS)in an IPv4 authentication,themsRadiusFramedIPAddres sattributevaluefetchedfor the user will be convertedto IP groupsare retrievedand managedper join used in authorizationpolicy(by selectingfirst the join pointand then the attribute).You cannotdefineattributesor groupsper scopefor authorization,but you can use scopesfor authenticationpolicy. Whenyou use a scopein authenticationpolicy, it is possiblethat a user is authenticatedvia one join point,but attributesand/orgroupsare retrievedvia anotherjoin pointthat has a trust path to the user' can use authenticationdomainstoensurethat no two join pointsin one scopehave any overlapin Microsoft-imposedlimitson the maximumnumberof usableActiveDirectorygroups: (v= ).aspxNoteAn authorizationpolicyfails if the rule containsan ActiveDirectorygroupnamewith specialcharacterssuch as /, !, @, \, #, $, %,^, &, *, (, ), _, +, or ~.Support for Boolean AttributesCiscoISE supportsretrievingBooleanattributesfrom ActiveDirectoryand can configurethe Booleanattributeswhileconfiguringthe directoryattributesfor ActiveDirectoryor LDAP. Theseattributesare retrievedupon authenticationwith ActiveDirectoryor Booleanattributescan be used for configuringpolicyrule Booleanattributevaluesare fetchedfrom ActiveDirectoryor LDAPserveras Stringtype. CiscoISE supportsthe followingvaluesfor the Booleanattributes:Supported valuesBoolean attributet, T, true, TRUE,True, 1Truef, F, false,FALSE,False,0FalseAttributesubstit utionis not supportedfor the you configurea Booleanattribute(for example,msTSAllowLogon)as Stringtype, the Booleanvalueof the attributein the ActiveDirectoryor LDAPserverwill be set for the Stringattributein CiscoISE. You can changethe attributetype to Booleanor add theattributemanuallyas Policy Dictionary AttributesAuthorizationpolicyis determinedby conditionsbasedon ActiveDirectoryjoin pointhas an associateddictionarythat includesattributesand attributeindicateswhichjoin pointwas used for the user attributeindicateswhichjoin pointwas used for the attributeindicateswhichdomainDNS qualifiednamewas used for theuser attributeindicateswhichdomainDNS qualifiednamewas used for attributeindicateswhichidentitystore was used for attributeindicateswhetherthe user'smachinewas authenticatedor attributeindicatesthe ActiveDirectorygroupto whichthe user pointThis attributeindicatesthat the useraccountis disabledor is outsideof logonhoursand so is preventedfrom pointThis attributeindicatesthe ActiveDirectoryattributefor the user.<ATTR name>Join pointIdentity RewriteIdentityrewriteis an advancedfeaturethat directsCiscoISE to manipulatethe identitybeforeit is passedto the can createrules to changethe identityto a desiredformatthat includesor excludesa domainprefixand/orsuffix or otheradditionalmarkupof your are appliedon the usernameor hostnamereceivedfrom the client,beforebeingpassedto ActiveDirectory, foroperationssuch as subjectsearches,authentication,and will matchthe conditiontokensand whenthe first one matches,CiscoISE stopsprocessingthe policyand rewritesthe identitystringaccordingto the rewrite,everythingenclosedin squarebracket[ ] (suchas [IDENTITY])is a variablethat is not evaluatedon the evaluationside but insteadaddedwith the stringthat matchesthat locationin the bracketsis evaluatedas a fixedstringon both the evaluationside and the rewriteside of the followingare someexamplesof identityrewrite,consideringthat the identityenteredby the user is ACME\jdoe: If identitymatchesACME\[IDENTITY], rewriteas[IDENTITY].The resultwouldbe jdoe. This rule instructsCiscoISE to strip all usernameswith the ACMEprefix. If the identitymatchesACME\[IDENTITY], resultwouldbe rule instructsCiscoISE to changethe formatfrom prefixfor suffix notationorfrom NetBIOSformatto UPN formats. If the identitymatchesACME\[IDENTITY], rewriteasACME2\[IDENTITY].The resultwouldbe ACME2\ rule instructsCiscoISE to changeall usernameswith a certainprefixto an alternateprefix. If the identitymatches[ACME]\ , resultwouldbe jdoe\ rule instructsCiscoISE to strip the realmafter the dot, in this case the countryandreplaceit with the correctdomain. If the identitymatchesE=[IDENTITY], rewriteas[IDENTITY].The resultwouldbe jdoe. This is an examplerule that can be createdwhenan identityis from a certificate,the field is an emailaddress,and ActiveDirectoryis configuredto searchby rule instructsCiscoISE to remove E= . If the identitymatchesE=[EMAIL],[DN], rewriteas[DN].This rule will convertcertificatesubjectfrom pure DN, CN=jdoe,DC=acme,DC= is an examplerule that can be createdwhenidentityis takenfrom a certificatesubjectand ActiveDirectoryis configuredto searchuser by DN . This rule instructsCiscoISE to strip emailprefixand followingare somecommonmistakeswhilewritingthe identityrewriterules: If the identitymatches[DOMAIN]\[IDENTITY], resultwouldbe rule does not have [DOMAIN]in squarebrackets[ ] on the rewriteside of therule. If the identitymatchesDOMAIN\[IDENTITY], again,the resultwouldbe rule does not have [DOMAIN]in squarebrackets[ ] on the evaluationside of the are alwaysappliedwithinthe contextof an ActiveDirectoryjoin a scopeis selectedas the resultof an authenticationpolicy, the rewriterules are appliedfor each ActiveDirectoryjoin also appliesforidentitiestakenfrom certificatesif EAP-TLSis Identity RewriteThis configurationtask is can performit to reduceauthenticationfailuresthat can arisebecauseof variousreasonssuch as You BeginYou must join CiscoISE to the 1ChooseAdministration>IdentityManagement >ExternalIdentitySources> 3UndertheIdentityRewritesection,choosewh etheryou want to applythe rewriterules to 4Enterthe matchconditionsand the can removethe defaultrule that appearsand enter the rule accordingto your processesthe policyin order, and the first conditionthat matchesthe can use the matchingtokens(text containedin squarebrackets)to transferelementsof the originalusernameto the none of the rules match,the can click theLaunchTestbuttontopreviewthe Resolution SettingsSometype of identitiesincludea domainmarkup,such as a prefixor a suffix. For example,in a NetBIOSidentitysuch as ACME\jdoe, ACME is the domainmarkupprefix,similarlyin a UPN identitysuch as is the the NetBIOS(NTLM)nameof the ActiveDirectorydomainin your organizationand domainsuffixshouldmatchto the DNS nameof ActiveDirectorydomainor to the alternativeUPN suffix in your treatedas not a DNS nameof identityresolutionsettingsallowsyou to configureimportantsettingsto tune the securityand performancebalanceto matchyour can use thesesettingsto tune authenticationsfor usernamesand caseswhenCiscoISE is not awareof the user'sdomain,it can be configuredto searchthe user in all the the user is foundin one domain,CiscoISE will wait for all responsesin orderto ensurethat there is no identityambiguity. This mightbe a lengthyprocess,subjectto the numberof domains,latencyin the network,load, and so Identity Resolution IssuesIt is highlyrecommendedto use fully qualifiednames(that is, nameswith domainmarkup)for usersand example,UPNsand NetBIOSnamesfor usersand FQDNSPNsfor is especiallyimportantif you hit ambiguityerrorsfrequently, such as, severalActiveDirectoryaccountsmatchto the incomingusername;for example,jdoe somecases,usingfully qualifiednamesis the only way to ,it may be sufficientto guaranteethat the usershave , it is moreefficientand leadsto less passwordlockoutissuesif uniqueidentitiesare used Identity Resolution SettingsThis configurationtask is can performit to reduceauthenticationfailuresthat can arisebecauseof variousreasonssuch as You BeginYou must join CiscoISE to the 1ChooseAdministration>IdentityManagement >ExternalIdentitySources> 3Definethe followingsettingsfor identityresolutionfor usernamesor settingprovidesyou advancedcontrolfor user searchand first settingis for the identitieswithouta such cases,you can selectany of the followingoptions: Rejectthe request This optionwill fail the authenticationfor userswho do not have any domainmarkups,suchas a is usefulin case of multijoin domainswhereCiscoISE will have to look up for the identityin all the joinedglobalcatalogs,whichmightnot be very optionforcesthe usersto use nameswithdomainmarkups. Onlysearch in the AuthenticationDomains from the joinedforest This optionwill searchfor the identityonly in the domainsin the forestof the join pointwhichare specifiedin the isthe defaultoptionand identicalto CiscoISE behaviorfor SAMaccountnames. Search in all the AuthenticationDomains sections This optionwill searchfor the identityin all authenticationdomainsin all the mightincreaselatencyand selectionis madebasedon how the authenticationdomainsare configuredin CiscoISE. If only specificauthenticationdomainsare selected,only thosedomainswill be searched(for both joinedforest or all forests selections).The secondsettingis used if CiscoISE cannotcommunicatewith all GlobalCatalogs(GCs)that it needsto in ordertocomplywith the configurationspecifiedin the AuthenticationDomains such cases,you can selectany of thefollowingoptions: Proceedwith availabledomains This optionwill proceedwith the authenticationif it finds a matchin any of theavailabledomains. Drop the request This optionwill drop the authenticationrequestif the identityresolutionencounterssomeunreacha bleor ScenariosThis sectiondescribessomebasicscenariosrelate dto ActiveDirectoryconfigurationflow with AcquisitionScenarioEnterprise, acquiredor merged with an administratorof ,you wouldlike to allowaunifiednetworkauthenticationinfras tructurethat allowsthe usersof both gain accessto the ConfigurationsA singleActiveDirectoryjoin point for add an additionaluntrustedActiveDirectoryinfras tructure:1Enterscopemodeto add a new join pointfor 1: Join Points Created Within Initial_Scope3Configurean authenticationpolicyand selectInitial_Scopeas the resultfor all 2: Initial_Scope Selected as the Result in Authentication PolicyBy performingthe aboveconfigurations,you createda scopethat configuresCiscoISE to searchfor usersin eithercompany s ActiveDirectory. Scopeallowsa networkto authenticateagainstmultipleActiveDirecto ryinfrastructures,even if they are completelydisconnectedand/ordo not trust each TenantsScenario21For a multi-tenantscenario,you have to definethe configurationfor multiplecustomers:CompanyA,CompanyB,and each customer, you have to do the following: Defineindependentnetworkdevicegroups. Definescopesthat identitytraffic may efficientlyscan through. Configureand join independentActiveDirectoryjoin points. Defineauthenticationand authorizationpolicysuch that ActiveDirectoryidentitytraffic from thesedevicegroupsis directedto theseActiveDirectoryjoin ConfigurationsTo provideall the featuresrequiredabove:1Definethe networkdevicegroup(NDG)type as CompanyA,CompanyB,CompanyCand a add networkdevicefor each 3: Define Network Device Group for each Company2Definescopesfor each company. DefinemultipleActiveDirectoryjoin pointswithinthe scopeof each all the company s domainswere trusted,only a singlejoin pointis in this example,there are a numberof untrusteddomains,so multiplejoin pointsare 4: Define Scopes and Join Points for each Company3Configurepolicysets to tie togetherthe NDGsof a companyto ActiveDirectoryscopesfor authenticationfor a company. Eachcompanyshouldalso have its own policyso that authorizationpolicymay be definedin the company s own 5: Configure Policy Sets23Troubleshooting ToolsCiscoISE providesseveraltools to diagnoseand Active Directory ProblemsThe DiagnosticTool is a servicethat runs on everyCiscoISE allowsyou to automaticallytest and diagnosethe ActiveDirectorydeploymentand executea set of tests to detectissuesthat may causefunctionalityor performancefailureswhenCiscoISEuses multiplereasonsfor whichCiscoISE mightbe unableto join or authenticateagainstActiveDirectory. This tool helpsensurethat the prerequisitesfor connectingCiscoISE to ActiveDirectoryare configuredcorrectly. It helpsdetectproblemswithnetworking,firewa llconfigurations,clocksync,user authentication,and so on. This tool worksas a step-by-stepguideand helpsyoufix problemswith everylayer in the middle,if 1ChooseAdministration>IdentityManagement >ExternalIdentitySources> 2ClicktheAdvancedToolsdrop-downand 3Selecta CiscoISE node to run the you do not selecta CiscoISE node then the test is run on all the 4Selecta specificActiveDirectoryjoin you do not selectan ActiveDirectoryjoin pointthen the test is run on all the join 5ClickRun All Tests on Nodeto start the 6ClickView Test Detailsto view the detailsfor tests with Warningor table allowsyou to rerunspecifictests,stop runningtests,and view a reportof Directory Alarms and ReportsCiscoISE providesvariousalarmsand reportsto monitorand followingalarmsare triggeredfor ActiveDirectoryerrorsand issues: Configurednameservernot available Joineddomainis unavailable Authenticationdomainis unavailable ActiveDirectoryforestis unavailable AD Connectorhad to be restarted AD: ISE accountpasswordupdatefailed AD: MachineTGT refreshfailed24ReportsYou can monitorActiveDirectoryrelatedactivitiest hroughthe followingtwo reports: RADIUSAuthenticationsReport This reportshowsdetailedsteps of the ActiveDirectoryauthenticationand can find this reporthere:Operations>Reports>AuthServic esStatus>RADIUSAuthentications. AD ConnectorOperationsReport The AD ConnectorOperationsreportprovidesa log of backgroundoperationsperformedby AD connector, such as CiscoISE serverpasswordrefresh,Kerberosticketmana gement,DNS queries,DC discovery, LDAP,and RPC you encounterany ActiveDirectoryfailures,you can reviewthe detailsin this reporttoidentifythe can find this reporthere:Operations>Reports>AuthServic esStatus>AD Ambiguous Identity ErrorsYou may encountermorethan one identitywith the samenamein one multijoin scenariothis is morelikely, especiallywhenyou have severalnon-relatedcompaniesin your ActiveDirectorydomainwho have no mutualcontrolover their increasethe chancesof not uniqueper workswell butalternateUPNscan all such scenariosyou will can use theAuthenticationspage undertheOperationstab to look for the help youunderstandand controlwhichidentitiesare actuallyused if you face an ambiguousidentityerror. AD-Candidate-Identities Wheneverambiguousidentitiesare first located,this attributeshowsthe can beusefulin determiningwhy an identityis ambiguous. AD-Resolved-Identities Afterthe identityis locatedand is used in operationssuch as authentication,get-groupsandget-attribut es,this attributeis updatedwith the mightbe morethan one in case of identityclash. AD-Resolved-Providers This attributeprovidesthe ActiveDirectoryjoin pointon whichthe identitywas Active Directory Joins for a NodeYou can use theNodeViewbuttonon theActiveDirectorypage to view the statusof all ActiveDirectoryjoin pointsfor a givenCiscoISE node or a list of all join pointson all CiscoISE 1ChooseAdministration>IdentityManagement >ExternalIdentitySource> 3Selecta node from theISE table lists the statusof ActiveDirectoryby there are multiplejoin pointsand multipleCiscoISE nodesin adeployment,this table may take severalminutesto 4Clickthe join pointNamelink to go to that ActiveDirectoryjoin pointpage and 5ClicktheDiagnosticSummarylink to go to theDiagnosticToolspage to diagnostictool displaysthe latestdiagnosticsresultsfor each join pointper Active Directory Debug LogsActiveDirectorydebuglogs are not loggedby must enablethis optionon the CiscoISE node that has assumedthe PolicyServicepersonain your may affect ISE 1ChooseAdministration>System>Logging>Deb ugLog 2Clickthe radiobuttonnext to the CiscoISE PolicyServicenode from whichyou want to obtainActiveDirectorydebuginformation,an d 3ClicktheActiveDirectoryradiobutton,and 4ChooseDEBUGfrom the drop-downlist next to ActiveDirectory. This will includeerrors,warnings,and get full logs, the Active Directory Log File for TroubleshootingDownloadand view the ActiveDirectorydebuglogs to troubleshootissuesyou may You BeginActiveDirectorydebugloggingmust be 1ChooseOperations>Troubleshoot> 2Clickthe node from whichyou want to obtainthe ActiveDirectorydebuglog 4Scrolldownthis page to locatethe Clickthis file to Directory Advanced TuningThe advancedtuningfeatureprovidesnode-specif icsettingsused for supportactionunderthe supervisionof Ciscosupportpersonnel,to adjustthe parametersdeeperin the not intendedfor normaladministrationflow, and shouldbe usedonly Connector Internal OperationsThe followingsectionsdescribethe internaloperationsthat take placein the AD Discovery AlgorithmThe CiscoISE performsdomaindiscoveryin three phases:1Queriesjoineddomains Discoversdomainsfrom its forestand domainsexternallytrustedto the domainsin its forest Establishestrust with the domainsin trustedforests Discoversdomainsfrom the , CiscoISE discoversDNS domainnames(UPNsuffixes),alternativeUPN suffixes and defaultdomaindiscoveryfrequencyis everytwo can modifythis valuefrom the AdvancedTuningpage,but onlyin consultationwith the DiscoveryAD connectorselectsa domaincontroller(DC)for a givendomainas follows:1Performsa DNS SRV query(not scopedto a site) to get a full list of domaincontrollersin the resolutionfor DNS SRVs that lack IP requeststo domaincontrollersaccordingto prioritiesin the SRV recordand processesonly the first response,if any. The CLDAPresponsecontainsthe DC site and clientsite (for example,site to whichthe CiscoISE machineis assigned).4If the DC site and clientsite are the same,the responseoriginator(that is, DC) is the DC site and clientsite are not the same,the AD Connectorperformsa DNS SRV queryscopedto the discoveredclientsite,gets the list of domaincontrollersservingthe clientsite, sendsCLDAPping requeststo thesedomaincontrollers,and processesonly the first response,if any. The responseoriginator(that is, DC) is there is no DC in the client'ssite servingthesite or no DC currentlyavailablein the site, then the DC detectedin Step 2 is can influencethe domaincontrollersthat CiscoISE uses by creatingand usingan ActiveDirectorysite. See the MicrosoftActiveDirectorydocumentationon how to createand use also providesthe abilityto definea list of preferredDCs per list of DCs will be prioritizedfor selectionbeforeDNS SRV this list of preferredDCs is not an exclusivelist. If the preferredDCs are unavailable,otherDCs can createa list of preferredDCs in the followingcases: The SRV recordsare bad, missingor not configured. The site associationis wrongor missingor the site cannotbe used. The DNS configurationis wrongor cannotbe FailoverDomaincontroller(DC)failovercan be triggeredby the followingconditions: The AD connectordetectsif the currentlyselectedDC becomesunavailableduringthe LDAP, RPC,or DC mightbe unavailablebecauseit is downor has no networkconnectivity. In such cases,the AD connectorinitiatesDC selectionand fails over to the newlyselectedDC. The DC is up and respondsto the CLDAPping,but AD connectorcannotcommunicatewith it for somereason,for exampleif the RPC port is blocked,the DC is in the brokenreplicationstate,or the DC has not been such27cases,the AD connectorinitiatesDC selectionwith a blacklist ( bad DC is placedin the blacklist) and tries to communicatewith the selectedDC. Neitherthe DC selectedwith the blacklistnor the blacklistis FailoverYou can configureup to three DNS serversand one domainsuffix. If you are usingActiveDirectoryidentitystore sequencein CiscoISE, you must ensurethat all the DNS serverscan answerforwardand reverseDNS queriesfor any possibleActiveDirectoryDNSdomainyou want to use. DNS failoverhappensonly whenthe first DNS is down,the failoverDNS shouldhave the samerecorderas the first a DNS serverfails to resolvea query, the DNS clientdoes not try anotherDNS server. By default,DNS serverretriesthe querytwiceand timeoutthe queryin 3 Identity AlgorithmFor an identity, differentalgorithmsare used to locatethe user or machineobjectbasedon the type of identity, whethera passwordwas supplied,and whetherany domainmarkupis presentin the identity. Followingare the differentalgorithmsused by CiscoISEto resolvedifferenttypesof the identityhas been rewrittenaccordingto configuredidentityrewriterules,then identityresolutionis appliedto the SAM Names If the identityis a SAMname(usernameor machinenamewithoutany domainmarkup),CiscoISE searchsthe forestof eachjoin point(once)lookingfor the identity. If there is a uniquematch,CiscoISE determinesits domainor the uniquenameandproceedswith the AAAflow. If the SAMnameis not uniqueand CiscoISE is configuredto use a passwordlessprotocolsuch as EAP-TLS,there are no othercriteriato locatethe right user, so CiscoISE fails the authenticationwith an AmbiguousIdentity error. However, if the usercertificateis presentin ActiveDirectory, CiscoISE uses binarycomparisonto resolvethe identity. If CiscoISE is configuredto use a password-basedprotocolsuch as PAP, or MSCHAP, CiscoISE continuesto there is a uniquematch,CiscoISE proceedswith the AAAflow. However, if there is morethan one accountwiththe samepassword,CiscoISE fails the authenticationwith an AmbiguousIdentity not only increasesefficiencyand securitybut also preventsaccountsfrom beinglockedout. For example,there exist two chris with differentpasswordsand CiscoISE receivesonly the SAMname chris . In this scenario,CiscoISE will keep tryingboth accountswith SAMname chris, beforedecidingthe correctone. In such cases,ActiveDirectorycan lock out one of the accountsdue to ,you shouldtry to use uniqueusernamesor ones , you can use identityrewriteto qualifySAMnamesif you use specificnetworkdevicesfor each UPNs If the identityis a UPN,CiscoISE searcheseach forest s globalcatalogslookingfor a matchto that UPN identity. If there is auniquematch,CiscoISE proceedswith the AAAflow. If there are multiplejoin pointswith the sameUPN and a passwordwasnot suppliedor does not help in determiningthe right account,CiscoISE fails the authenticationwith an AmbiguousIdentity CiscoISE also permitsan identitythat appearsto be a UPN to also matchthe user s mail attribute,that is, it searchesfor identity=matchingUPN or email . Someuserslog in with their emailname(oftenvia a certificate)and not a real is implicitlydone if the identitylookslike an Machine Identities If it is a machineauthentication,with the identityhavinga host/prefix,CiscoISE searchesthe forestfor a a fully-qualifieddomainsuffix was specifiedin the identity, for ,CiscoISE searchesthe forestwherethat the identityis in the form of host/machine,CiscoISE searchesall forestsfor the there is morethan one match,CiscoISE fails the authenticationwith an AmbiguousIdentity error. If the machineis in anotheridentityformat,for laptop$,CiscoISE uses thenormalUPN,NetBIOSor NetBIOS IdentitiesIf the identityhas a NetBIOSdomainprefix,for exampleACME\jdoe,CiscoISE searchesthe forestsfor the ,it then looksfor the suppliedSAMname( jdoe in this example)in the not necessarilyunique,even in one forest,so the searchmay find multipleNetBIOSdomainswith the this occurs,and a passwordwas supplied,it is used to locatethe right identity. If there is still ambiguityor no passwordwas supplied,CiscoISE fails theauthenticationwith an AmbiguousIdentity the Ciscologo are trademarksor registeredtrademarksof Ciscoand/orits affiliatesin the and view a list of Ciscotrademarks,go to this URL: Third-partytrademarksmentionedare the propertyof their use of the wordpartnerdoes not implya partnershiprelationshipbetweenCiscoand any othercompany. (1110R)Any InternetProtocol(IP) addressesand phonenumbersused in this documentare not intendedto be actualaddressesand examples,commanddisplayoutput,networktop ologydiagrams,and other figuresincludedin the documentare shownfor illustrativepurposesonly. Any use of actualIP addressesor phonenumbersin illustrativecontentis unintentionaland coincidental. 2015 CiscoSystems,Inc. All HeadquartersAsia Pacific HeadquartersAmericas HeadquartersCisco Systems International BVAmsterdam, The NetherlandsCisco Systems (USA) Pte. Systems, Jose, CA 95134-1706USACiscohas morethan 200 offices ,phonenumbers,and fax numbersare listedon theCiscoWebsiteat

Related search results