Create an LDAP Realm or an Active Directory Realm and Realm Directory
If you're setting up ISE/ISE-PIC without a realm, be aware there is a user session timeout that affects how users are seen by the management center. For more information, see Realm Fields.
The following procedure enables you to create a realm (a connection between the management center and an Active Directory realm) and a directory (a connection between the management center and an LDAP server or an Active Directory domain controller).
(Recommended.) To connect securely from the management center to your Active Directory server, first perform the following tasks:
Microsoft has announced that Active Directory servers will start enforcing LDAP binding and LDAP signing in 2020. Microsoft is making these a requirement because when using default settings, an elevation of privilege vulnerability exists in Microsoft Windows that could allow a man-in-the-middle attacker to successfully forward an authentication request to a Windows LDAP server. For more information, see 2020 LDAP channel binding and LDAP signing requirement for Windows on the Microsoft support site.
For more information about realm and directory configuration fields, see Realm Fields and Realm Directory and Synchronize fields.
A step-by-step example of setting up a realm with cross-domain trust is shown in Configure the Management Center for Cross-Domain-Trust: The Setup.
An Active Directory Global Catalog server is not supported as a realm directory. For more information about the Global Catalog Server, see Global Catalog on learn.microsoft.com.
Note | You must specify a unique AD Primary Domain for every Microsoft Active Directory (AD) realm. Although the system allows you to specify the same AD Primary Domain for different Microsoft AD realms, the system won't function properly. This happens because system assigns a unique ID to every user and group in each realm; therefore, the system cannot definitively identify any particular user or group. The system prevents you from specifying more than one realm with the same AD Primary Domain because users and groups won't be identified properly. This happens because system assigns a unique ID to every user and group in each realm; therefore, the system cannot definitively identify any particular user or group. |
If you're setting up ISE/ISE-PIC without a realm, be aware there is a user session timeout that affects how users are seen by the management center. For more information, see Realm Fields.
Before you begin
If you're using Kerberos authentication for captive portal, see the following section before you begin: Prerequisites for Kerberos Authentication.
If you enabled Change Management, you must open or edit, assign, and approve a ticket for each of the following objects before you can create the realm:
-
If you're connecting securely to Microsoft AD or LDAP, the server's trusted certificate authority
-
The realm itself
For more information, see Opening a Ticket for Configuration Changes and Policies and Objects that Support Change Management.
If you are managing devices with Cisco Security Cloud Control (Security Cloud Control), create a proxy sequence first as discussed in Create a Proxy Sequence
Important | To reduce latency between the management center and your Active Directory domain controller, we strongly recommend you configure a realm directory (that is, domain controller) that is as close as possible geographically to the management center. For example, if your management center is in North America, configure a realm directory that is also in North America. Failure to do so can cause problems such as timeout downloading users and groups. |
Procedure
Step 1 | Log in to the Secure Firewall Management Center. | ||||||||||||||
Step 2 | Click . | ||||||||||||||
Step 3 | To create a new realm, choose from Add Realm drop-down list. | ||||||||||||||
Step 4 | To perform other tasks (such as enable, disable, or delete a realm), see Manage a Realm. | ||||||||||||||
Step 5 | Enter realm information as discussed in Realm Fields. | ||||||||||||||
Step 6 | (Optional.) From the Proxy list, click a managed device or proxy sequence to communicate with ISE/ISE-PIC if Security Cloud Control is unable to do so. For example, your Security Cloud Control might be in a public cloud but the ISE/ISE-PIC server might be on an internal intranet. | ||||||||||||||
Step 7 | In the Directory Server Configuration section, enter directory information as discussed in Realm Directory and Synchronize fields. | ||||||||||||||
Step 8 | (Optional.) To configure another domain for this realm, click Add another directory. | ||||||||||||||
Step 9 | Click Configure Groups and Users. Enter the following information:
| ||||||||||||||
Step 10 | Click the Realm Configuration tab. | ||||||||||||||
Step 11 | Enter Group Attribute, and (if you use Kerberos authentication for captive portal) enter AD Join Username and AD Join Password. For more information, see Realm Directory and Synchronize fields. | ||||||||||||||
Step 12 | If you use Kerberos authentication, click Test. If the test fails, wait a short time and try again. | ||||||||||||||
Step 13 | Enter user session timeout values, in minutes, for ISE/ISE-PIC Users, Terminal Server Agent Users, Captive Portal Users, Failed Captive Portal Users, and Guest Captive Portal Users. | ||||||||||||||
Step 14 | When you're finished configuring the realm, click Save. |
What to do next
-
Configure the Management Center for Cross-Domain-Trust: The Setup
-
Edit, delete, enable, or disable a realm; see Manage a Realm.
-
Optionally, monitor the task status; see View Task Messages.