Bienvenido a la segunda publicación de la serie Cisco ISE. El primer artículo destacó las ventajas y diferencias de las soluciones de control de acceso a la red (NAC) de AAA estándar, la singularidad de Cisco ISE, la arquitectura y el proceso de instalación del producto.
En este artículo profundizaremos en la creación de cuentas, la adición de servidores LDAP y la integración con Microsoft Active Directory, así como los matices de trabajar con PassiveID. Antes de leer, le recomiendo encarecidamente que lea la primera parte .
1. Un poco de terminología
User Identity - , . , , User Identity: , , , , .
User Groups - - , , Cisco ISE.
User Identity Groups - , . User Identity Groups , : Employee (), SponsorAllAccount, SponsorGroupAccounts, SponsorOwnAccounts ( ), Guest (), ActivatedGuest ( ).
User Role - - , , . .
2.
1) Cisco ISE . Administration → Identity Management → Identities → Users → Add.
2) , .
3) . Administration → Identity Management → Identities → Users Import csv txt . , Generate a Template, .
3. LDAP
, LDAP - , , , LDAP , 389 636 (SS). LDAP Active Directory, Sun Directory, Novell eDirectory OpenLDAP. LDAP DN (Distinguished Name) (retrieval) , .
Cisco ISE LDAP , . , (primary) LDAP , ISE (secondary) . , 2 PAN, PAN LDAP, PAN - LDAP.
ISE 2 (lookup) LDAP : User Lookup MAC Address Lookup. User Lookup LDAP : , . MAC Address Lookup MAC LDAP , MAC .
Active Directory Cisco ISE LDAP .
1) Administration → Identity Management → External Identity Sources → LDAP → Add.
2) General LDAP ( Active Directory).
3) Connection Hostname/IP address AD , (389 - LDAP, 636 - SSL LDAP), (Admin DN - DN), .
: .
4) Directory Organization DN, .
5) Groups → Add → Select Groups From Directory LDAP .
6) Retrieve Groups. , . , ISE c LDAP LDAP .
7) Attributes , LDAP , Advanced Settings Enable Password Change, , . Submit .
8) LDAP .
4. Active Directory
1) Microsoft Active Directory LDAP , , , . AD Cisco ISE. Administration → Identity Management → External Identity Sources → Active Directory → Add.
: AD ISE DNS, NTP AD , .
2) Store Credentials. OU (Organizational Unit), ISE - OU. Cisco ISE, .
3) , PSN Administration → System → Deployment Passive Identity Service. PassiveID - , User IP . PassiveID AD WMI, AD SPAN ( ).
: Passive ID ISE show application status ise | include PassiveID.
4) Administration → Identity Management → External Identity Sources → Active Directory → PassiveID Add DCs. OK.
5) DC Edit. FQDN DC, , WMI Agent. WMI OK.
6) WMI Active Directory, ISE . , , login . 2 : . PassiveID Add Agent → Deploy New Agent (DC ). ( , FQDN , / ) OK.
7) Cisco ISE Register Existing Agent. , Work Centers → PassiveID → Providers → Agents → Download Agent.
: PassiveID logoff! - user session aging time 24 . logoff , - , logoff .
logoff "Endpoint probes" - . Endpoint probes Cisco ISE : RADIUS, SNMP Trap, SNMP Query, DHCP, DNS, HTTP, Netflow, NMAP Scan. RADIUS probe CoA (Change of Authorization) ( 802.1X), SNMP, .
, Cisco ISE + AD 802.1X RADIUS: Windows , logoff, WiFi. - , - logoff. , .
8) Administration → Identity Management → External Identity Sources → Active Directory → Groups → Add → Select Groups From Directory AD, ISE ( 3 “ LDAP ”). Retrieve Groups → OK.
9) Work Centers → PassiveID → Overview → Dashboard , , .
10) Live Sessions . AD .
5.
Cisco ISE, LDAP Microsoft Active Directory. .
(Telegram, Facebook, VK, TS Solution Blog, .).