Cisco Cisco Identity Services Engine 2.1
Procedure
Step 1
Choose Administration > Identity Management > External Identity Sources > Active Directory.
Step 2
Click the Authentication Domains tab.
A table appears with a list of your trusted domains. By default, Cisco ISE permits authentication against all trusted domains.
A table appears with a list of your trusted domains. By default, Cisco ISE permits authentication against all trusted domains.
Step 3
To allow only specified domains, uncheck Use all Active Directory domains for authentication check box.
Step 4
Check the check box next to the domains for which you want to allow authentication, and click Enable Selected. In the
Authenticate column, the status of this domain changes to Yes.
You can also disable selected domains.
Authenticate column, the status of this domain changes to Yes.
You can also disable selected domains.
Step 5
Click Show Unusable Domains to view a list of domains that cannot be used. Unusable domains are domains that Cisco
ISE cannot use for authentication due to reasons such as one-way trust, selective authentication and so on.
ISE cannot use for authentication due to reasons such as one-way trust, selective authentication and so on.
What to Do Next
Configure Active Directory user groups.
Supported Group Types
Cisco ISE supports the following security group types:
• Universal
• Global
• Builtin
Builtin groups do not have a unique security identifier (SID) across domains and to overcome this, Cisco ISE prefixes their
SIDs with the domain name to which they belong.
SIDs with the domain name to which they belong.
Cisco ISE uses the AD attribute tokenGroups to evaluate a user’s group membership. Cisco ISE machine account must have permission
to read tokenGroups attribute. This attribute can contain approximately the first 1015 groups that a user may be a member of (the
actual number depends on Active Directory configuration and can be increased by reconfiguring Active Directory.) If a user is a
member of more groups than this, Cisco ISE does not use more than the first 1015 in policy rules.
to read tokenGroups attribute. This attribute can contain approximately the first 1015 groups that a user may be a member of (the
actual number depends on Active Directory configuration and can be increased by reconfiguring Active Directory.) If a user is a
member of more groups than this, Cisco ISE does not use more than the first 1015 in policy rules.
Configure Active Directory User Groups
You must configure Active Directory user groups for them to be available for use in authorization policies. Internally, Cisco ISE uses
security identifiers (SIDs) to help resolve group name ambiguity issues and to enhance group mappings. SID provides accurate group
assignment matching.
security identifiers (SIDs) to help resolve group name ambiguity issues and to enhance group mappings. SID provides accurate group
assignment matching.
Procedure
Step 1
Choose Administration > Identity Management > External Identity Sources > Active Directory.
Step 2
Click the Groups tab.
Step 3
Do one of the following:
8