I like Cisco ISE, i think it’s a mature solution from version 2.3 and up (i hope smart licensing doesn’t bring too much burden in the future), especially when using External Identity Sources to authenticate users and endpoints (AKA non-cisco ldap/radius servers). The easiest route for external authentication -and my absolute recommendation- is to use Microsoft Active Directory (AD), Cisco ISE is by no means a cheap product that any company can afford, so chances are that if you bought an ISE node you have enough money to treat yourself with Active Directory. AD is also a very mature product and pretty much THE de-facto standard for any enterprise solution needing SSO or centralized authentication, making a guide on how to configure ISE with AD doesn’t make sense, it would be just a tutorial on how to RTFM.
But there is more LDAP territory beyond just AD, let’s say you are in such a situation where you could afford Cisco ISE but upper management decided to reinvent the wheel and not use AD but another LDAP-based solution instead, most likely FOSS, with little adoption and little documentation given the unusual use-case. Well, this happened to me in the past so here you have a quick tutorial on how to integrate Cisco ISE with FreeIPA as an External Identity Source.
First, go to Identity Management>External Identity Sources, and create a new LDAP source, it will just ask for a name and then you will need to specify the details.
In the General tab, in Schema select Custom and this will expand the set of LDAP attributes shown in the picture above. Select the option “Group objects Contain Reference To Subjects” and choose from the menu that subjects in groups are stored using “Distinguished Name”. For the rest just fill in the fields as follows:
- Subject Objectclass: inetOrgPerson
- Subject Name Attribute: uid
- Group Name Attribute: cn
- Group Objectclass: groupOfNames
- Group Map Attribute: member
In the Connection tab, specify the IP address or hostname of your FreeIPA (or any other LDAP system if you don’t go too FOSS with your choice) and the port used for authentication. In this case i used port 636 for LDAPS (secure), but you can also use the default port 398. If you are using LDAPS besides picking up port 636, “authenticated access” and “enable secure authentication” you also need to upload to ISE your LDAP root CA beforehand, which in my screenshot is shown just as “IPA”.
You will notice that contrary to AD integration here things are not so easy, in the Admin DN box you need to identify the whole path to the user account you want to use for authentication plus its password. Below you will find a string that works for FreeIPA but you may need to modify it depending on the attributes used by your LDAP system, and how deep in the LDAP tree your user account is located; my user account was named “svc_cisco_ise”.
In the string above replace (or add) CNs depending how your LDAP tree is structured and replace the DCs for your domain and your TLD (e.g. dc=tcpip,dc=me). This step involves a lot of trial and error when working with non-AD LDAP systems.
Finally in the Directory Organization tab you need to specify the paths for ISE to correctly query subjects (users) and groups. Again you need a similar string as for the Admin DN account used for authentication. Below is a basic working example for FreeIPA.
Leave the rest as default, click test connection and use the test user option in the External Identity Sources main menu, if you did it right you should see the return code from FreeIPA or your custom LDAP system.
In all honesty, going this route is painful, avoid it if you can, this use-case is very unusual, use Active Directory and save yourself a huge headache.