Identity Management with CISCO ISE and AD

CISCO Identity Service Engine (ISE 2.0) and Active Directory (AD 2012) User and device Management.

Network devices and user management from a security point of view should  address Confidentiality Integrity and Availability defining Authentication Authorization and Accounting. Here we define a basic implementation of AAA through EAPol, RADIUS and CIA through identity management using active directory and ISE Policies.

  • Basic ISE local Device Management: ISE has a provision for device management under Network Devices and Device Groups.  Here we can add devices in logical self defined groups. this would be applicable in small to medium size networks the number of devices are manageable manually. We define groups then devices which are added to the given group as a prerequisite.
    • Network Device groups are added under network resources in administration menu. there are already two groups in this menu “All Device Types” and “All Locations”. Groups here can be nested under existing groups or new trees created. (Ref image-1 and Image-2)

Image-1 adding device group:

Image-2 adding device group details:

 

 

    • Devices are added as a sub category to the device group. This is done via the “Network devices” menu located as a sub category of “network resources” under administration menu(Image-3). under the device menu details for “Name, Description, IP address,TrustSec and Authentication settings are provided”

Ref: Image-3: Adding Network devices

 

Ref Image-4: Adding device

 

 

  • Basic ISE Local User and Device Management: fails under the same approach as the device management for ISE. This is located under Identities which is a under “identity management” in administration. both Endpoints and Users are maintained here in a straightforward intuitive menu.
  • ISE External user management with Windows Active Directory: The ISE server user and device management is very manual. In the case of multiple devices and users it will become impractical very quickly. That is where the Active directory comes into play. a new Identity sequence is added to ISE that requires the users and endpoint devices to be checked with windows AD users and computers as well as local store to verify their credentials this is done in two steps. which of these options will be used for identification will be found under the “Authentication details “Identity store””
    • Active directory server is defined under the “external identity sources” contained in the Identity Management sub-menu. A domain admin account is required and access and integrate ISE into the given domain.

Ref: Image -5.1: Adding AD

Ref: Image-5.2: Adding ISE to AD

 

    • Add Active directory as an option for ID verification:  To utilize active directory resources the AD has to be added as and identity source. The sequence of ID sources is defined (see details in image ref 6-1 and 2

REF: Image 6-1: setting Identity source sequences

REF: Image 6-2: setting Identity source sequences

    • Implement policy: Finally under authentication we are going to enforce the use of active directory and local users sequence for identity sources (ref: image )

Ref Image 7: Implementing Authentication policy with active directory