Using Roles-Based Access Control (RBAC) and Active Directory to Manage ISE

Using role-based access control (RBAC) to manage Identity Services Engine (ISE) is crucial for maintaining security and operational efficiency. By assigning specific roles with tailored permissions, administrators can ensure that individuals can only access the functions and data they need, minimizing the risk of accidental misconfigurations or unauthorized changes. This approach enhances security by limiting access to sensitive areas of the system while also streamlining management by delegating responsibilities appropriately within the network and security teams.

Navigate to Administration>System>Admin Access>Authentication

In the Identity Source drop-down, choose your Active Directory join point.

Click Save.

Navigate to Administration>System>Admin Access>Administrators>Admin Groups

Click Add to add a new group.

Give the Admin Group a name.

Check the box next to External to indicate that this group will be mapped to an external group.

From the External Groups drop-down, choose the Active Directory group you wish to map to this Admin group.

In the two screenshots below, I map two Active Directory groups to two admin groups in ISE.

Click Submit.

Navigate to Administration>System>Admin Access>Authorization>RBAC Policy

As you can see from this screen, you can use many pre-built policies to map to Active Directory groups.

Click on Actions next to the Helpdesk Admin Policy and choose Duplicate from the dropdown.

Rename the new policy rule, click the + next to the Helpdesk Admin group for your new rule, and change it to one of the groups you created.

Just like we did with the Help Desk Admin rule, duplicate the Super Admin Policy rule.

Rename the new policy rule, click the + next to the Super Admin group for your new rule, and change it to one of the groups you created.

After finishing our configuration, click Save.

We should have two Active Directory groups mapped to two roles in ISE.

Next, log completely out of ISE.

You should now see a new field for ISE login screen: Identity Source. Your Active Directory domain should be the default identity source.

Log into ISE with an account part of the Active Directory group mapped to the Help Desk role in ISE.

Notice that you no longer have access to all the dashboards or configurations in ISE.

Log out of ISE again and, this time, log in with an account part of the Active Directory group mapped to the Super Admin role in ISE.

Notice that you now have access to all the settings in ISE.

One last thing to mention before moving on: There might be a time when you might want to create a custom role within ISE for your RBAC policy and the built-in policies/rules don’t cover it.

Navigate to Administration>System>Admin Access>Authorization>Permissions.

Under Menu Access and Data Access, you can perfect a custom role in your policy.

Let us start with the Menu Access first.

Click Add to create a new Menu Access permission.

For Menu Access permissions, I will change the Context Visibility dashboards to Show and leave everything else as Hide.

Click Submit.

Navigate to the Data Access menu.

Click Add.

For Data Access permission, I have set all the groups to Read Only Access.

Click Submit.

Navigate to Administration>System>Admin Access>Authorization>RBAC Policy

Press the + next to your custom Helpdesk Admin rule permission.

Choose the Context_Visibility_Only permission from the dropdown.

Press the + next to the permission you just added.

Choose the Read_Only_Access permission we just created.

Click Save.

Log out of ISE and log back in using an account mapped to the Helpdesk-mapped Active Directory group.

This time, you should see you only have permission to view Context Visibility.