Joining ISE to an Active Directory Domain

ISE can use Active Directory as its primary identity store, enabling it to authenticate users and devices based on their AD credentials. This integration allows ISE to enforce network access policies tied to AD group memberships, user roles, and organizational units, ensuring that only authorized users and devices can access the network according to their defined permissions. Additionally, ISE can utilize AD attributes to apply context-aware policies, enabling dynamic and granular access control. By combining ISE’s advanced policy enforcement with AD’s robust identity management, organizations can achieve a more secure and well-managed network environment.

In previous posts, I mentioned the importance of synchronizing the time on ISE and the Windows Server. If the time skew between ISE and AD is greater than 5 minutes, ISE will not join the domain. Another thing to note is that you want to ensure that whatever DNS server you configured ISE to query, that DNS server must be able to find the AD SRV records, allowing ISE to find the domain controller. If it does not, ISE will fail to find the domain controller and not join the domain.

In ISE, navigate to Administration>Identity Management>External Identity Sources>Active Directory.

Click Add.

In the Join Point Name field, use the computer name of the AD server.

Add the domain name in the Active Directory Domain field.

Click Submit.

After clicking Submit, you will receive a dialog box asking if you want to join the ISE nodes to the Active Directory Domain. Click Yes.

You should be able to join ISE to the domain using AD credentials with domain-join permissions on the Join Domain dialog box.

You would check the box next to any Active Directory Groups you want to use for your network access control (RADIUS) and device administration (TACACS) policies and click Ok. Essentially, if you plan on giving access or differentiated access based on an Active Directory group, then add that group here for later use with policies.

Navigate to the Attributes tab.

This is where we can add specific AD attributes we may want to use for future policies.

Click Add>Select Attributes from Directory.

Enter a username or machine name in the sample user or machine account. This will pull up the AD attributes for that account. You can check the boxes for attributes you might want to use later in your policies. I checked the boxes for cn, memberOf, and userCertificate attributes in the screenshot below.

On a rare occasion, an identity might need to be rewritten before it is sent to Active Directory. For example, a company may be in the middle of a domain change or acquisition that requires the format to be changed before being passed to AD.

To create Identity Rewrite rules, navigate to the Advanced Settings tab and scroll down to Identity Rewrite.

Change the radio option to Apply the Rewrite Rules Below to modify username.

In the below example, I have ISE rewrite the domain from DOMAIN-1 to DOMAIN-2 before handing it over to Active Directory. This is just one example of many that you could create or customize.

Now that your Identity Services Engine cluster is joined to your Active Directory domain, that is it for this post!