Most ISE deployments use a join to Active Directory to be able to query AD groups, perform user lookups, etc. In this post, I’ll join my ISE lab server to AD. First I’m going to create two OUs in my AD, one for users and one for computers. Why not use the default ones? They are containers, not OUs, which means you can’t apply GPOs to them. Additionally, it makes for cleaner separation from the built-in accounts and allows for applying policies that won’t affect them. I’m creating two OUs:
- iselab users.
- iselab computers.
This is done by going to Active Directory Users and Computers, then right clicking the AD domain and selecting New -> Organizational Unit:
Give the OU a name and then click OK:
Repeat for the computers OU. You should now be able to see the OUs:
I’m going to create a user named Bob that I’ll be using to test login later. Right click the users OU and then select New -> User:
Enter the name and logon name:
Click Next. Enter a password for the user. As this is a lab, I won’t require that the user changes the password and the password is set to not expire:
Click Next. Then click Finish. The user has been created:
Now we’re going to join ISE to AD. We’ll need two things:
- AD domain name.
- AD account with Domain Admin privileges.
The Domain Admin credentials are required to join the domain. Note that they are only used once and that the credentials aren’t stored anywhere in ISE.
In ISE go to Administration -> External Identity Sources -> Active Directory. The list is currently empty:
Click + Add and enter the Join Point Name and the AD domain:
Click Submit. A popup appears asking if all nodes should be joined to the domain:
Select Yes. Enter credentials of a Domain Admin to join:
Click OK. The process is completed:
The AD join has been added:
Going back to the AD console, there is now an account that has been created for ISE:
Finally, let’s import the OUs from AD that we created previously. Go to the Groups tab when your join point is selected:
Click + Add and then Select Groups from Directory:
Click Retrieve Groups…
Then select the groups you want and click OK:
Click Save.
That’s it! We’ve joined AD with ISE and will now be able to query it to for example verify if a user is part of an AD group when writing our authz rules.