Cisco Cisco Identity Services Engine 1.3
Do not use double quotes (”) in the group name for the user interface login.
Step 4
If you are manually selecting a group, you can search for them using a filter. For example, enter admin* as the filter criteria
and click Retrieve Groups to view user groups that begin with admin. You can also enter the asterisk (*) wildcard character
to filter the results. You can retrieve only 500 groups at a time.
and click Retrieve Groups to view user groups that begin with admin. You can also enter the asterisk (*) wildcard character
to filter the results. You can retrieve only 500 groups at a time.
Step 5
Check the check boxes next to the groups that you want to be available for use in authorization policies and click OK.
Step 6
If you choose to manually add a group, enter a name and SID for the new group.
Step 7
Click OK.
Step 8
Click Save.
If you delete a group and create a new group with the same name as original, you must click Update SID Values
to assign new SID to the newly created group. After an upgrade, the SIDs are automatically updated after the first
join.
to assign new SID to the newly created group. After an upgrade, the SIDs are automatically updated after the first
join.
Note
What to Do Next
Configure Active Directory user attributes.
Configure Active Directory User and Machine Attributes
You must configure Active Directory user and machine attributes to be able to use them in conditions in authorization policies.
Procedure
Step 1
Choose Administration > Identity Management > External Identity Sources > Active Directory.
Step 2
Click the Attributes tab.
Step 3
Choose Add > Add Attribute to manually add a attribute, or choose Add > Select Attributes From Directory to
choose a list of attributes from the directory.
choose a list of attributes from the directory.
Step 4
If you choose to add attributes from the directory, enter the name of a user in the Sample User or Machine Account
field, and click Retrieve Attributes to obtain a list of attributes for users. For example, enter administrator to obtain a
list of administrator attributes. You can also enter the asterisk (*) wildcard character to filter the results.
field, and click Retrieve Attributes to obtain a list of attributes for users. For example, enter administrator to obtain a
list of administrator attributes. You can also enter the asterisk (*) wildcard character to filter the results.
When you enter an example username, ensure that you choose a user from the Active Directory domain to which
the Cisco ISE is connected. When you choose an example machine to obtain machine attributes, be sure to prefix
the machine name with “host/” or use the SAM$ format. For example, you might use host/myhost. The example
value displayed when you retrieve attributes are provided for illustration only and are not stored.
the Cisco ISE is connected. When you choose an example machine to obtain machine attributes, be sure to prefix
the machine name with “host/” or use the SAM$ format. For example, you might use host/myhost. The example
value displayed when you retrieve attributes are provided for illustration only and are not stored.
Note
Step 5
Check the check boxes next to the attributes from Active Directory that you want to select, and click OK.
Step 6
If you choose to manually add an attribute, enter a name for the new attribute.
Step 7
Click Save.
Test Users for Active Directory Authentication
Test User tool can be used to verify user authentication. You can also fetch groups and attributes and examine them. You can run the
test for a single join point or for scopes.
test for a single join point or for scopes.
10