Skip to content
  • There are no suggestions because the search field is empty.

Configure ISE Role-Based Access Control with LDAP

Step-by-Step Guide to Configuring Cisco ISE Role-Based Access Control with LDAP

 

Prerequisites

  • Familiarity with Cisco ISE configuration
  • Cisco ISE Version 3.0
  • Windows Server 2016 environment
  • Administrative credentials for LDAP/Active Directory

Configuration Steps

1. Join ISE to LDAP

  1. Navigate to Administration > Identity Management > External Identity Sources > LDAP.
  2. Configure the Hostname of the primary LDAP server and port (389 for LDAP, 636 for LDAP-Secure).
  3. Enter the Admin Distinguished Name (DN) and password.
  4. Click Test Bind Server to verify connectivity.
  5. Select the correct Organization group based on LDAP hierarchy.

2. Enable Administrative Access for LDAP Users

  1. Go to Administration > System > Admin Access > Authentication.
  2. Under Authentication Method, select Password-Based.
  3. Choose LDAP from the Identity Source drop-down.
  4. Save changes.

3. Map Admin Group to LDAP Group

  • Create an Admin Group in ISE.
  • Map it to the corresponding Active Directory group.
  • This ensures RBAC permissions are applied based on group membership.

4. Set Permissions

Menu Access

  • Navigate to System > Authorization > Permissions > Menu Access.
  • Define which menus/sub-entities are visible to the admin group.
  • Save changes.

Data Access

  • Navigate to System > Authorization > Permissions > Data Access.
  • Configure full or read-only access to identity groups.
  • Save changes.

5. Configure RBAC Policy

  1. Go to System > Admin Access > Authorization > Policy.
  2. Insert a new policy (e.g., LDAP_RBAC_policy).
  3. Map it to the Admin Group.
  4. Assign menu and data access permissions.
  5. Save changes.

Note: Default system-generated RBAC policies cannot be modified. Only Super Admin users can manage other admin accounts cisco.com.

Verification

  1. Log in to ISE GUI using LDAP credentials.
  2. Select LDAP_Server as the Identity Source.
  3. Verify successful login in Operations > Reports > Audit > Administrators Logins.
  4. Confirm limited/custom access menus are applied as expected.

Troubleshooting

  • Enable Debugging:

    • RBAC logs: ise-psc.log
    • Access filter logs: ise-psc.log
    • LDAP interaction logs: prrt-server.log

  • Packet Capture & Log Analysis:

    • Verify LDAP authentication events.
    • Confirm RBAC policy enforcement in logs.