Cisco Cisco Identity Services Engine 1.3
• Always perform binary comparison—This option always performs the binary comparison of client certificate to
certificate on account in identity store (Active Directory or LDAP).
Step 6
Click Submit to add the certificate authentication profile or save the changes.
Modify Password Changes, Machine Authentications, and Machine Access Restriction Settings
Before You Begin
You must join Cisco ISE to the Active Directory domain.
Procedure
Step 1
Choose Administration > Identity Management > External Identity Sources > Active Directory.
Step 2
Click the Advanced Settings tab.
Step 3
Modify as required, the Password Change, Machine Authentication, and Machine Access Restrictions (MARs) settings.
These option are enabled by default.
These option are enabled by default.
Step 4
Check the Use Kerberos for Plain Text Authentications check box if you want to use Kerberos for plain-text
authentications. The default and recommended option is MS-RPC. Kerberos is used in ISE 1.2.
authentications. The default and recommended option is MS-RPC. Kerberos is used in ISE 1.2.
Related Topics
Active Directory Password-Based Authentication, on page 14
Authorization Against an Active Directory Instance
The following sections explain the mechanism that Cisco ISE uses to authorize a user or a machine against Active Directory.
Active Directory Attribute and Group Retrieval for Use in Authorization Policies
Cisco ISE retrieves user or machine attributes and groups from Active Directory for use in authorization policy rules. These attributes
can be used in Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine
Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of
authentication.
can be used in Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine
Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of
authentication.
Cisco ISE may use groups in external identity stores to assign permissions to users or computers; for example, to map users to sponsor
groups. You should note the following restrictions on group memberships in Active Directory:
groups. You should note the following restrictions on group memberships in Active Directory:
• Policy rule conditions may reference any of the following: a user’s or computer’s primary group, the groups of which a user or
computer is a direct member, or indirect (nested) groups.
• Domain local groups outside a user’s or computer’s account domain are not supported.
Attributes and groups are retrieved and managed per join point. They are used in authorization policy (by selecting first the join point
and then the attribute). You cannot define attributes or groups per scope for authorization, but you can use scopes for authentication
and then the attribute). You cannot define attributes or groups per scope for authorization, but you can use scopes for authentication
16