Selamat datang di publikasi kedua dari seri Cisco ISE. Artikel pertama menyoroti keunggulan dan perbedaan solusi Network Access Control (NAC) dari standar AAA, keunikan Cisco ISE, arsitektur dan proses instalasi produk.
, LDAP Microsoft Active Directory, PassiveID. .
1.
User Identity - , . , , User Identity: , , , , .
User Groups - - , , Cisco ISE.
User Identity Groups - , . User Identity Groups , : Employee (), SponsorAllAccount, SponsorGroupAccounts, SponsorOwnAccounts ( ), Guest (), ActivatedGuest ( ).
User Role - - , , . .
2.
1) Cisco ISE . Administration → Identity Management → Identities → Users → Add.
2) , .
3) . Administration → Identity Management → Identities → Users Import csv txt . , Generate a Template, .
3. LDAP
, LDAP - , , , LDAP , 389 636 (SS). LDAP Active Directory, Sun Directory, Novell eDirectory OpenLDAP. LDAP DN (Distinguished Name) (retrieval) , .
Cisco ISE LDAP , . , (primary) LDAP , ISE (secondary) . , 2 PAN, PAN LDAP, PAN - LDAP.
ISE 2 (lookup) LDAP : User Lookup MAC Address Lookup. User Lookup LDAP : , . MAC Address Lookup MAC LDAP , MAC .
Active Directory Cisco ISE LDAP .
1) Administration → Identity Management → External Identity Sources → LDAP → Add.
2) General LDAP ( Active Directory).
3) Connection Hostname/IP address AD , (389 - LDAP, 636 - SSL LDAP), (Admin DN - DN), .
: .
4) Directory Organization DN, .
5) Groups → Add → Select Groups From Directory LDAP .
6) Retrieve Groups. , . , ISE c LDAP LDAP .
7) Attributes , LDAP , Advanced Settings Enable Password Change, , . Submit .
8) LDAP .
4. Active Directory
1) Microsoft Active Directory LDAP , , , . AD Cisco ISE. Administration → Identity Management → External Identity Sources → Active Directory → Add.
: AD ISE DNS, NTP AD , .
2) Store Credentials. OU (Organizational Unit), ISE - OU. Cisco ISE, .
3) , PSN Administration → System → Deployment Passive Identity Service. PassiveID - , User IP . PassiveID AD WMI, AD SPAN ( ).
: Passive ID ISE show application status ise | include PassiveID.
4) Administration → Identity Management → External Identity Sources → Active Directory → PassiveID Add DCs. OK.
5) DC Edit. FQDN DC, , WMI Agent. WMI OK.
6) WMI Active Directory, ISE . , , login . 2 : . PassiveID Add Agent → Deploy New Agent (DC ). ( , FQDN , / ) OK.
7) Cisco ISE Register Existing Agent. , Work Centers → PassiveID → Providers → Agents → Download Agent.
: PassiveID logoff! - user session aging time 24 . logoff , - , logoff .
logoff "Endpoint probes" - . Endpoint probes Cisco ISE : RADIUS, SNMP Trap, SNMP Query, DHCP, DNS, HTTP, Netflow, NMAP Scan. RADIUS probe CoA (Change of Authorization) ( 802.1X), SNMP, .
, Cisco ISE + AD 802.1X RADIUS: Windows , logoff, WiFi. - , - logoff. , .
8) Administration → Identity Management → External Identity Sources → Active Directory → Groups → Add → Select Groups From Directory AD, ISE ( 3 “ LDAP ”). Retrieve Groups → OK.
9) Work Centers → PassiveID → Overview → Dashboard , , .
10) Live Sessions . AD .
5.
Cisco ISE, LDAP Microsoft Active Directory. .
(Telegram, Facebook, VK, TS Solution Blog, .).