Cisco Cisco Identity Services Engine 2.1
If you chooseAny Subject or Alternative Name Attributes in the Certificate, Active Directory UPN will be used as
the username for logs and all subject names and alternative names in a certificate will be tried to look up a user. This option
is available only if you choose Active Directory as the identity source.
the username for logs and all subject names and alternative names in a certificate will be tried to look up a user. This option
is available only if you choose Active Directory as the identity source.
Step 5
Choose when you want to Match Client Certificate Against Certificate In Identity Store. For this you must select an
identity source (LDAP or Active Directory.) If you select Active Directory, you can choose to match certificates only to
resolve identity ambiguity.
identity source (LDAP or Active Directory.) If you select Active Directory, you can choose to match certificates only to
resolve identity ambiguity.
• Never—This option never performs a binary comparison.
• Only to resolve identity ambiguity—This option performs the binary comparison of client certificate to certificate
on account in Active Directory only if ambiguity is encountered. For example, several Active Directory accounts
matching to identity names from certificate are found.
matching to identity names from certificate are found.
• Always perform binary comparison—This option always performs the binary comparison of client certificate to
certificate on account in identity store (Active Directory or LDAP).
Step 6
Click Submit to add the certificate authentication profile or save the changes.
Modify Password Changes, Machine Authentications, and Machine Access Restriction Settings
Before You Begin
You must join Cisco ISE to the Active Directory domain.
Procedure
Step 1
Choose Administration > Identity Management > External Identity Sources > Active Directory.
Step 2
Click the Advanced Settings tab.
Step 3
Modify as required, the Password Change, Machine Authentication, and Machine Access Restrictions (MARs) settings.
These option are enabled by default.
These option are enabled by default.
Step 4
Check the Use Kerberos for Plain Text Authentications check box if you want to use Kerberos for plain-text
authentications. The default and recommended option is MS-RPC. Kerberos is used in ISE 1.2.
authentications. The default and recommended option is MS-RPC. Kerberos is used in ISE 1.2.
Authorization Against an Active Directory Instance
The following sections explain the mechanism that Cisco ISE uses to authorize a user or a machine against Active Directory.
Active Directory Attribute and Group Retrieval for Use in Authorization Policies
Cisco ISE retrieves user or machine attributes and groups from Active Directory for use in authorization policy rules. These attributes
can be used in Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine
Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of
authentication.
can be used in Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine
Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of
authentication.
15