Cisco Cisco Identity Services Engine 2.1
Username-Based Authentication Test (Test User)
Test authentication is useful to troubleshoot authentication and authorization issues for end users. You can use the Test User feature
to test Active Directory authentications.The test returns the results along with group and attribute details (authorization information)
that can be viewed on the Admin Portal.
to test Active Directory authentications.The test returns the results along with group and attribute details (authorization information)
that can be viewed on the Admin Portal.
Diagnostic Tool
The Diagnostic Tool allows you to automatically test and diagnose the Active Directory deployment for general connectivity issues.
This tool provides information on:
This tool provides information on:
• The Cisco ISE node on which the test is run
• Connectivity to the Active Directory
• Detailed status about the domain
• Detailed status about Cisco ISE-DNS server connectivity
The tool provides a detailed report for each test that you run.
Certificate Authentication Profile Enhancements
• Any subject or alternative name attributes in the certificate (for Active Directory only) option—You can use this option to use
Active Directory UPN as the username for logs and try all subject names and alternative names in a certificate to look up a user.
This option is available only if you choose Active Directory as the identity source.
This option is available only if you choose Active Directory as the identity source.
• Only to resolve identity ambiguity option—You can use this options to resolve identity issues in EAP-TLS authentications.
You can have multiple identities from TLS certificates. If the usernames are ambiguous, for example, if there are two “jdoe”
from an acquisition, and if the client certificates are present in Active Directory, Cisco ISE can use binary comparison to rule
out the ambiguity.
from an acquisition, and if the client certificates are present in Active Directory, Cisco ISE can use binary comparison to rule
out the ambiguity.
Node View
You can use this page to view the status of the join points on each node in the Cisco ISE deployment. The node view is a read-only
page and provides only the status. This page does not support any join, leave, or test option. However, it provides a link for each join
point to the main join point page, where these operations can be performed. This page also shows the last diagnostics status and a
link to diagnostics tool.
page and provides only the status. This page does not support any join, leave, or test option. However, it provides a link for each join
point to the main join point page, where these operations can be performed. This page also shows the last diagnostics status and a
link to diagnostics tool.
Reports and Alarms
Cisco ISE provides new AD Connector Operations report and new alarms in dashboard to monitor and troubleshoot Active Directory
related activities.
related activities.
Advanced Tuning
The advanced tuning feature provides node-specific changes and settings to adjust the parameters deeper in the system. This page
allows configuration of preferred DCs, GCs, DC failover parameters, and timeouts. This page also provide troubleshooting options
like disable encryption. These settings are not intended for normal administration flow and should be used only under Cisco Support
guidance.
allows configuration of preferred DCs, GCs, DC failover parameters, and timeouts. This page also provide troubleshooting options
like disable encryption. These settings are not intended for normal administration flow and should be used only under Cisco Support
guidance.
Prerequisites for Integrating Active Directory and Cisco ISE
The following are the prerequisites to integrate Active Directory with Cisco ISE.
3