Integrate AD for ISE GUI and CLI Log in

Overview

• Purpose: Allow AD users and groups to authenticate to the ISE administrative GUI and to the CLI (SSH) where required.
• Supported scope: GUI authentication, CLI authentication (requires specific AD attributes), or both.
• ISE version referenced: Cisco ISE 3.x (confirm your deployed version before applying these steps).
• Impact: Changing admin authentication can affect access for all administrators; maintain a local internal super‑admin account as a fallback.

Prerequisites

• ISE nodes running a supported ISE release (example: ISE 3.0).
• Windows Server Active Directory reachable from ISE (DNS resolution and network connectivity verified).
• AD join account with permissions to create and modify computer objects in the target OU.
• For CLI (SSH) admins: AD user objects must include uidNumber and gidNumber attributes; recommended values: uidNumber > 60000, gidNumber = 110 for admin or 111 for read‑only.
• Fallback admin: Keep at least one internal ISE super admin account that does not rely on AD.

GUI integration steps

1. Join ISE to Active Directory

1. In the ISE GUI, navigate to Administration > Identity Management > External Identity Sources > Active Directory.
2. Click Add (or Join), enter the Domain Name and the AD join account credentials, then click OK to initiate the domain join.
3. Verify the join status shows as Joined and that the domain controllers are reachable.

2. Import AD groups

1. Go to Administration > Identity Management > External Identity Sources > Active Directory > Groups.
2. Click Add and choose Select groups from Directory.
3. Search for and import the AD groups that contain your administrative users (e.g., ISE_Admins).

3. Configure ISE to use AD for admin authentication

1. Navigate to Administration > System > Admin Access > Authentication.
2. Select Password Based authentication and choose Active Directory as the identity source.
3. Save changes.

4. Map AD groups to ISE Admin Groups and RBAC

1. Create an Admin Group of type External under Administration > System > Admin Access > Administrators > Admin Groups and map it to the imported AD group.
2. Under Administration > System > Admin Access > Authorization > Policy, add a policy rule that maps the Admin Group to the desired RBAC role (e.g., Super Admin, Read Only).
3. Save and apply the policy.

CLI integration (SSH) and required AD attributes

• AD attributes required for CLI login: uidNumber and gidNumber must be populated on the AD user object.
• Recommended values: uidNumber greater than 60000; gidNumber set to 110 for admin or 111 for read‑only.
• How to set attributes: Use Active Directory Users and Computers with Advanced Features enabled, edit the user’s Attribute Editor, and set uidNumber and gidNumber.
• ISE CLI join command (per node):

  identity-store active-directory domain-name <domain> user <AD-join-username>
  

• Notes: If you join the domain via CLI on a node that was previously joined via GUI, rejoin or verify the domain status in the GUI to ensure consistency across the deployment.

Verification steps

• GUI verification: Log in with an AD user that is a member of the mapped AD admin group and confirm RBAC permissions apply as expected.
• CLI verification: Attempt SSH login with an AD user that has uidNumber and gidNumber set; confirm shell access and role mapping.
• Connectivity checks: Ensure ISE can resolve AD domain controllers via DNS and that required ports (LDAP/LDAPS, Kerberos if used) are open.
• Timing: After changing gidNumber or uidNumber, allow a few minutes for replication and caching before retrying SSH logins.

Troubleshooting checklist

• Join failures

  • Verify AD join account credentials and that the account has permission to create computer objects in the target OU.
  • Confirm DNS resolution for domain controllers from ISE and that network/firewall rules permit LDAP/LDAPS.
  • If join fails with credential or DNS errors, recheck the domain name and join account details.

• Login failures (GUI)

  • Confirm the AD group was imported and mapped to an ISE Admin Group.
  • Verify the authentication policy lists AD as an identity source for admin authentication.
  • Check AD account status (locked, expired, or password issues).

• SSH/CLI login failures

  • Ensure uidNumber and gidNumber attributes exist and meet the required values.
  • Wait several minutes after changing AD attributes to allow replication and caching.
  • If SSH still fails, verify the node’s domain join status and rejoin if necessary.

• Logs to review

  • Join and system messages: check system logs on ISE for domain join errors.
  • Authentication logs: review authentication/secure logs for failed login attempts and error codes.
  • Use ISE troubleshooting commands or GUI log viewers to capture relevant entries.

Risks and mitigations

• Risk: Admin lockout if AD becomes unavailable.
  Mitigation: Maintain at least one internal local super admin account and test AD reachability before switching production admin authentication to AD.
• Risk: Incorrect AD attributes prevent CLI access.
  Mitigation: Validate uidNumber and gidNumber values on AD user objects and allow time for replication; test with a single user before broad rollout.

Quick reference (copyable steps)

• Join domain (GUI): Administration > Identity Management > External Identity Sources > Active Directory > Add/Join.
• Import groups: Administration > Identity Management > Active Directory > Groups > Add > Select groups from Directory.
• Enable AD auth for admins: Administration > System > Admin Access > Authentication > Password Based > select AD.
• Map groups to RBAC: Administration > System > Admin Access > Administrators > Admin Groups (create External) → Authorization > Policy (map to RBAC role).
• CLI join command: identity-store active-directory domain-name <domain> user <AD-join-username>.

If you want this formatted as a HubSpot article with separate fields (Title, Short Answer, Steps, Troubleshooting, Tags), I can produce that layout ready for copy‑paste.