Clever Geek Handbook

Cisco ISE: Benutzer erstellen, LDAP-Server hinzufĂŒgen, in AD integrieren. Teil 2

Willkommen zum zweiten Beitrag in der Cisco ISE-Reihe. Der erste Artikel   hob die Vorteile und Unterschiede von NAC-Lösungen (Network Access Control) gegenĂŒber Standard-AAA, die Einzigartigkeit von Cisco ISE, die Architektur und den Produktinstallationsprozess hervor.

, LDAP Microsoft Active Directory, PassiveID. .

1.

User Identity - , . , , User Identity: , , , , .

User Groups - - , , Cisco ISE.

User Identity Groups - , . User Identity Groups , : Employee (), SponsorAllAccount, SponsorGroupAccounts, SponsorOwnAccounts ( ), Guest (), ActivatedGuest ( ).

User Role - - , , . .

, , ( ). .

2.

1) Cisco ISE . Administration → Identity Management → Identities → Users → Add.

Abbildung 1. HinzufĂŒgen eines lokalen Benutzers zu Cisco ISE
1. Cisco ISE

2) , .

Abbildung 2. Erstellen eines lokalen Benutzers in Cisco ISE
2. Cisco ISE

3) . Administration → Identity Management → Identities → Users Import csv txt . , Generate a Template, .

Abbildung 3. Importieren von Benutzern in Cisco ISE
3. Cisco ISE

3. LDAP

, LDAP - , , , LDAP , 389 636 (SS). LDAP Active Directory, Sun Directory, Novell eDirectory OpenLDAP. LDAP DN (Distinguished Name) (retrieval) , .

Cisco ISE LDAP , . , (primary) LDAP , ISE (secondary) . , 2 PAN, PAN LDAP, PAN - LDAP.

ISE 2 (lookup) LDAP : User Lookup MAC Address Lookup. User Lookup LDAP : , . MAC Address Lookup MAC LDAP , MAC .

Active Directory Cisco ISE LDAP .

1) Administration → Identity Management → External Identity Sources → LDAP → Add. 

Abbildung 4. HinzufĂŒgen eines LDAP-Servers
4. LDAP

2) General LDAP ( Active Directory). 

Abbildung 5. HinzufĂŒgen eines LDAP-Servers mit einem Active Directory-Schema
5. LDAP Active Directory

3) Connection Hostname/IP address AD , (389 - LDAP, 636 - SSL LDAP), (Admin DN - DN), .

: .

6. LDAP
6. LDAP

4) Directory Organization DN, .

7. ,
7. ,

5) Groups → Add → Select Groups From Directory LDAP .

8. LDAP
8. LDAP

6) Retrieve Groups. , . , ISE c LDAP LDAP .

9.
9.

7) Attributes , LDAP , Advanced Settings Enable Password Change, , . Submit .

8) LDAP .

10. LDAP
10. LDAP

4. Active Directory

1) Microsoft Active Directory LDAP , , , . AD Cisco ISE. Administration → Identity Management → External Identity Sources → Active Directory → Add. 

: AD ISE DNS, NTP AD , .

11. Active Directory
11. Active Directory

2) Store Credentials. OU (Organizational Unit), ISE - OU. Cisco ISE, .

12.
12.

3) , PSN Administration → System → Deployment Passive Identity Service. PassiveID - , User IP . PassiveID AD WMI, AD SPAN ( ).

: Passive ID ISE show application status ise | include PassiveID.

13. PassiveID
13. PassiveID

4) Administration → Identity Management → External Identity Sources → Active Directory → PassiveID Add DCs. OK.

14.
14.

5) DC Edit. FQDN DC, , WMI Agent. WMI OK.

15.
15.

6) WMI Active Directory, ISE . , , login . 2 : . PassiveID Add Agent → Deploy New Agent (DC ). ( , FQDN , / ) OK.

16. ISE
16. ISE

7) Cisco ISE Register Existing Agent. , Work Centers → PassiveID → Providers → Agents → Download Agent.

17. ISE
17. ISE

: PassiveID logoff! - user session aging time 24 . logoff , - , logoff . 

logoff "Endpoint probes" - . Endpoint probes Cisco ISE : RADIUS, SNMP Trap, SNMP Query, DHCP, DNS, HTTP, Netflow, NMAP Scan. RADIUS probe CoA (Change of Authorization) ( 802.1X), SNMP, .

, Cisco ISE + AD 802.1X RADIUS: Windows , logoff, WiFi. - , - logoff. , .

8) Administration → Identity Management → External Identity Sources → Active Directory → Groups → Add → Select Groups From Directory AD, ISE ( 3 “ LDAP ”). Retrieve Groups → OK

18 ). Active Directory
18 ). Active Directory

9) Work Centers → PassiveID → Overview → Dashboard , , .

19.
19.

10) Live Sessions . AD .

20.
20.

5.

Cisco ISE, LDAP Microsoft Active Directory. .

, .

(Telegram, Facebook, VK, TS Solution Blog, .).



More articles:


All Articles