CCIE Security V4 Technology Labs  Section 4:

Identity Management

 AD Integration
Last updated: May 16, 2013

Task
Join ISE to the AD domain.
Import the groups in the table below.

User Group Domain

employee1 employee inelab

contractor1 contractors inelab

Configuration
To join the domain we need to add an external identity source. The external identity source is added
under
Administration>Identity Management>External Identity Sources>Active Directory.
Define the INELAB>LOCAL domain and give the Identity Store a name. Click the Save
Configuration button.

Now we can see that ISE has been added. We need to select the checkbox next to the ISE node
and click the Join button.

Enter the credentials of an account that has the rights to add devices to the domain. In this case we
are using the Administrator account.
We can also use the Test Connection button, but a test is performed when we join the domain.

Close the box indicating that the Join was a success.

Now verify that the status is connected.

Now click the groups tab and click the Add button. Click the Select Groups From Directory option.
Click the Retrieve Groups button.

Select both the contractors and employees group.

We should now see the two groups listed in the Groups tab.

Verification
The verification for this task occurs as you add the server. If the process fails, you will not be able to
add the domain as seen in the configuration section.

One event may occur here: an issue with the time skew between the AD and the ISE. The clocks
need to have little skew. When performing the basic test, you may see the following error.

Because NTP is synchronizing the network, the easiest thing to do is change the clock on the
server to match the clock on the network.