Asset Visibility

Administrative Access to Cisco ISE Using an External Identity Store

In Cisco ISE, you can authenticate administrators via an external identity store such as Active Directory, LDAP, or RSA SecureID. There are two models you can use to provide authentication via an external identity store:

  • External Authentication and Authorization: There are no credentials that are specified in the local Cisco ISE database for the administrator, and authorization is based on external identity store group membership only. This model is used for Active Directory and LDAP authentication.

  • External Authentication and Internal Authorization: The administrator’s authentication credentials come from the external identity source, and authorization and administrator role assignment take place using the local Cisco ISE database. This model is used for RSA SecurID authentication. This method requires you to configure the same username in both the external identity store and the local Cisco ISE database.

During the authentication process, Cisco ISE is designed to “fall back” and attempt to perform authentication from the internal identity database, if communication with the external identity store has not been established or if it fails. In addition, whenever an administrator for whom you have set up external authentication launches a browser and initiates a login session, the administrator still has the option to request authentication via the Cisco ISE local database by choosing Internal from the Identity Store drop-down list in the login dialog box.

Administrators who belong to a Super Admin group, and are configured to authenticate and authorize using an external identity store, can also authenticate with the external identity store for Command Line Interface (CLI) access.


You can configure this method of providing external administrator authentication only via the Admin portal. Cisco ISE CLI does not feature these functions.

If your network does not already have one or more existing external identity stores, ensure that you have installed the necessary external identity stores and configured Cisco ISE to access those identity stores.

External Authentication and Authorization

By default, Cisco ISE provides internal administrator authentication. To set up external authentication, you must create a password policy for the external administrator accounts that you define in the external identity stores. You can then apply this policy to the external administrator groups that eventually become a part of the external administrator RBAC policy.

To configure external authentication, you must:

  • Configure password-based authentication using an external identity store.

  • Create an external administrator group.

  • Configure menu access and data access permissions for the external administrator group.

  • Create an RBAC policy for external administrator authentication.

In addition to providing authentication via an external identity store, your network may also require you to use a Common Access Card (CAC) authentication device.

Configure a Password-Based Authentication Using an External Identity Store

You must first configure password-based authentication for administrators who authenticate using an external identity store such as Active Directory or LDAP.


Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Admin Access > Authentication.

Step 2

On the Authentication Method tab, click Password Based and choose one of the external identity sources you have already configured. For example, the Active Directory instance that you have created.

Step 3

Configure any other specific password policy settings that you want for administrators who authenticate using an external identity store.

Step 4

Click Save.

Create an External Administrator Group

You will need to create an external Active Directory or LDAP administrator group. This ensures that Cisco ISE uses the username that is defined in the external Active Directory or LDAP identity store to validate the administrator username and password that you entered upon login.

Cisco ISE imports the Active Directory or LDAP group information from the external resource and stores it as a dictionary attribute. You can then specify that attribute as one of the policy elements while configuring the RBAC policy for this external administrator authentication method.


Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Admin Access > Administrators > Admin Groups.

The External Groups Mapped column displays the number of external groups that are mapped to internal RBAC roles. You can click the number corresponding to a admin role to view the external groups (for example, if you click 2 displayed against Super Admin, the names of two external groups are displayed).

Step 2

Click Add.

Step 3

Enter a name and optional description.

Step 4

Click External.

If you have connected and joined to an Active Directory domain, your Active Directory instance name appears in the Name field.

Step 5

From the External Groups drop-down list box, choose the Active Directory group that you want to map for this external administrator group.

Click the “+” sign to map additional Active Directory groups to this external administrator group.

Step 6

Click Save.

Create an Internal Read-Only Admin


Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Admin Access > Administrators > Admin Users .

Step 2

Click Add and select Create An Admin User.

Step 3

Check the Read Only check box to create a Read-Only administrator.

Map External Groups to the Read-Only Admin Group


Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > Identity Management > External Identity Sources to configure the external authentication source.

Step 2

Click the required external identity source, such as Active Directory or LDAP, and then retrieve the groups from the selected identity source.

Step 3

Choose Administration > System > Admin Access > Authentication to map the authentication method for the admin access with the identity source.

Step 4

Choose Administration > System > Admin Access > Administrators > Admin Groups and select Read Only Admin group.

Step 5

Check the External check box and select the required external groups for whom you intend to provide read-only privileges.

Step 6

Click Save.

An external group that is mapped to a Read-Only Admin group cannot be assigned to any other admin group.

Configure Menu Access and Data Access Permissions for External Administrator Group

You must configure menu access and data access permissions that can be assigned to the external administrator group.


Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Admin Access > Permissions.

Step 2

Click one of the following:

  • Menu Access: All administrators who belong to the external administrator group can be granted permission at the menu or submenu level. The menu access permission determines the menus or submenus that they can access.

  • Data Access: All administrators who belong to the external administrator group can be granted permission at the data level. The data access permission determines the data that they can access.

Step 3

Specify menu access or data access permissions for the external administrator group.

Step 4

Click Save.

Create an RBAC Policy for External Administrator Authentication

You must configure a new RBAC policy to authenticate an administrator using an external identity store and to specify custom menu and data access permissions. This policy must have the external administrator group for authentication and the Cisco ISE menu and data access permissions to manage the external authentication and authorization.


You cannot modify an existing (system-preset) RBAC policy to specify these new external attributes. If you have an existing policy that you would like to use as a template, you must duplicate that policy, rename it, and then assign the new attributes.


Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Admin Access > Authorization > RBAC Policy.

Step 2

Specify the rule name, external administrator group, and permissions.

Remember that the appropriate external administrator group must be assigned to the correct administrator user IDs. Ensure that the administrator is associated with the correct external administrator group.

Step 3

Click Save.

If you log in as an administrator, and the Cisco ISE RBAC policy is not able to authenticate your administrator identity, Cisco ISE displays an “unauthenticated” message, and you cannot access the Admin portal.

Configure Admin Access Using an External Identity Store for Authentication with Internal Authorization

This method requires you to configure the same username in both the external identity store and the local Cisco ISE database. When you configure Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from external authentication and authorization:

  • You do not need to specify any particular external administrator groups for the administrator.

  • You must configure the same username in both the external identity store and the local Cisco ISE database.


Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Admin Access > Administrators > Admin Users.

Step 2

Ensure that the administrator username in the external RSA identity store is also present in Cisco ISE. Ensure that you click the External option under Password.



You do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.

Step 3

Click Save.

External Authentication Process Flow

When the administrator logs in, the login session passes through the following steps in the process:

  1. The administrator sends an RSA SecurID challenge.

  2. RSA SecurID returns a challenge response.

  3. The administrator enters a user name and the RSA SecurID challenge response in the Cisco ISE login dialog, as if entering the user ID and password.

  4. The administrator ensures that the specified Identity Store is the external RSA SecurID resource.

  5. The administrator clicks Login.

Upon logging in, the administrator sees only the menu and data access items that are specified in the RBAC policy.

External Identity Sources

These windows enable you to configure and manage external identity sources that contain user data that Cisco ISE uses for authentication and authorization.

LDAP Identity Source Settings

The following table describes the fields on the LDAP Identity Sources window, which you can use to create an LDAP instance and connect to it. To view this window, click the Menu icon () and choose Administration > Identity Management > External Identity Sources > LDAP.

LDAP General Settings

The following table describes the fields in the General tab.

Table 1. LDAP General Settings

Field Name

Usage Guidelines


Enter a name for the LDAP instance. This value is used in searches to obtain the subject DN and attributes. The value is of type string and the maximum length is 64 characters.


Enter a description for the LDAP instance. This value is of type string, and has a maximum length of 1024 characters.


You can choose any one of the following built-in schema types or create a custom schema:

  • Active Directory

  • Sun Directory Server

  • Novell eDirectory

    You can click the arrow next to Schema to view the schema details.

    If you edit the attributes of the predefined schema, Cisco ISE automatically creates a Custom schema.



The following fields can be edited only when you choose the Custom schema.

Subject Objectclass

Enter a value to be used in searches to obtain the subject DN and attributes. The value is of type string and the maximum length is 256 characters.

Subject Name Attribute

Enter the name of the attribute containing the username in the request. The value is of type string and the maximum length is 256 characters.



The subject name attributes that are configured should be an indexed one in the external ID store.

Group Name Attribute

  • CN: To retrieve the LDAP Identity Store Groups based on Common Name.

  • DN: To retrieve the LDAP Identity Store Groups based on Distinguished Name.

Certificate Attribute

Enter the attribute that contains the certificate definitions. For certificate-based authentication, these definitions are used to validate certificates that are presented by clients.

Group Objectclass

Enter a value to be used in searches to specify the objects that are recognized as groups. The value is of type string and the maximum length is 256 characters.

Group Map Attribute

Specifies the attribute that contains the mapping information. This attribute can be a user or group attribute based on the reference direction that is chosen.

Subject Objects Contain Reference To Groups

Click this option if the subject objects contain an attribute that specifies the group to which they belong.

Group Objects Contain Reference To Subjects

Click this option if the group objects contain an attribute that specifies the subject. This value is the default value.

Subjects in Groups Are Stored in Member Attribute As

(Only available when you enable the Group Objects Contain Reference To Subjects option) Specifies how members are sourced in the group member attribute and defaults to the DN.

User Info Attributes

By default, predefined attributes are used to collect user information (such as, first name, last name, email, telephone, locality, and so on) for the following built-in schema types:

  • Active Directory

  • Sun Directory Server

  • Novell eDirectory

If you edit the attributes of the predefined schema, Cisco ISE automatically creates a Custom schema.

You can also select the Custom option from the Schema drop-down list to edit the user information attributes based on your requirements.


The subject name attributes that are configured should be an indexed one in the external ID store.

LDAP Connection Settings

The following table describes the fields in the Connection Settings tab.

Table 2. LDAP Connection Settings

Field Name

Usage Guidelines

Enable Secondary Server

Check this option to enable the secondary LDAP server to be used as a backup if the primary LDAP server fails. If you check this check box, you must enter configuration parameters for the secondary LDAP server.

Primary and Secondary Servers


Enter the IP address or DNS name of the machine that is running the LDAP software. The hostname can contain from 1 to 256 characters or a valid IP address expressed as a string. The only valid characters for hostnames are alphanumeric characters (a to z, A to Z, 0 to 9), the dot (.), and the hyphen (-).


Enter the TCP/IP port number on which the LDAP server is listening. Valid values are from 1 to 65,535. The default is 389, as stated in the LDAP specification. If you do not know the port number, you can find this information from the LDAP server administrator.

Specify server for each ISE node

Check this check box to configure primary and secondary LDAP server hostnames/IP and their ports for each PSN.

When this option is enabled, a table listing all the nodes in the deployment is displayed. You need to select the node and configure the primary and secondary LDAP server hostname/IP and their ports for the selected node.


Anonymous Access: Click to ensure that searches on the LDAP directory occur anonymously. The server does not distinguish who the client is and will allow the client read access to any data that is configured as accessible to any unauthenticated client. In the absence of a specific policy permitting authentication information to be sent to a server, a client should use an anonymous connection.

Authenticated Access: Click to ensure that searches on the LDAP directory occur with administrative credentials. If so, enter information for the Admin DN and Password fields.

Admin DN

Enter the DN of the administrator. The Admin DN is the LDAP account that has permission to search all required users under the User Directory Subtree and to search groups. If the administrator specified does not have permission to see the group name attribute in searches, group mapping fails for users who are authenticated by that LDAP server.


Enter the LDAP administrator account password.

Secure Authentication

Click to use SSL to encrypt communication between Cisco ISE and the primary LDAP server. Verify that the Port field contains the port number used for SSL on the LDAP server. If you enable this option, you must choose a root CA.

LDAP Server Root CA

Choose a trusted root certificate authority from the drop-down list to enable secure authentication with a certificate.

Server Timeout

Enter the number of seconds that Cisco ISE waits for a response from the primary LDAP server before determining that the connection or authentication with that server has failed. Valid values are 1 to 99. The default is 10.

Max. Admin Connections

Enter the maximum number of concurrent connections (greater than 0) with LDAP administrator account permissions that can run for a specific LDAP configuration. These connections are used to search the directory for users and groups under the User Directory Subtree and the Group Directory Subtree. Valid values are 1 to 99. The default is 20.

Force reconnect every N seconds

Check this check box and enter the desired value in the Seconds field to force the server to renew LDAP connection at the specified time interval. The valid range is from 1 to 60 minutes.

Test Bind to Server

Click to test and ensure that the LDAP server details and credentials can successfully bind. If the test fails, edit your LDAP server details and retest.


Always Access Primary Server First

Click this option if you want Cisco ISE to always access the primary LDAP server first for authentications and authorizations.

Failback to Primary Server After

If the primary LDAP server that Cisco ISE attempts to contact cannot be reached, Cisco ISE attempts to contact the secondary LDAP server. If you want Cisco ISE to use the primary LDAP server again, click this option and enter a value in the text box.

LDAP Directory Organization Settings

The following table describes the fields in the Directory Organization tab.

Table 3. LDAP Directory Organization Settings

Field Name

Usage Guidelines

Subject Search Base

Enter the DN for the subtree that contains all subjects. For example:

If the tree containing subjects is the base DN, enter:



as applicable to your LDAP configuration. For more information, refer to your LDAP database documentation.

Group Search Base

Enter the DN for the subtree that contains all groups. For example:

ou=organizational unit, ou=next organizational unit,

If the tree containing groups is the base DN, type:



as applicable to your LDAP configuration. For more information, refer to your LDAP database documentation.

Search for MAC Address in Format

Enter a MAC Address format for Cisco ISE to use for search in the LDAP database. MAC addresses in internal identity sources are sourced in the format xx-xx-xx-xx-xx-xx. MAC addresses in LDAP databases can be sourced in different formats. However, when Cisco ISE receives a host lookup request, Cisco ISE converts the MAC address from the internal format to the format that is specified in this field.

Use the drop-down list to enable searching for MAC addresses in a specific format, where <format> can be any one of the following:

  • xxxx.xxxx.xxxx

  • xxxxxxxxxxxx

  • xx-xx-xx-xx-xx-xx

  • xx:xx:xx:xx:xx:xx

The format you choose must match the format of the MAC address sourced in the LDAP server.

Strip Start of Subject Name Up To the Last Occurrence of the Separator

Enter the appropriate text to remove domain prefixes from usernames.

If Cisco ISE finds the delimiter character that is specified in this field in the username, it strips all characters from the beginning of the username through the delimiter character. If the username contains more than one of the characters that are specified in the <start_string> box, Cisco ISE strips characters through the last occurrence of the delimiter character. For example, if the delimiter character is the backslash (\) and the username is DOMAIN\user1, Cisco ISE submits user1 to an LDAP server.



The <start_string> cannot contain the following special characters: the pound sign (#), the question mark (?), the quotation mark (“), the asterisk (*), the right angle bracket (>), and the left angle bracket (<). Cisco ISE does not allow these characters in usernames.

Strip End of Subject Name from the First Occurrence of the Separator

Enter the appropriate text to remove domain suffixes from usernames.

If Cisco ISE finds the delimiter character that is specified in this field in the username, it strips all characters from the delimiter character through the end of the username. If the username contains more than one of the characters that are specified in this field, Cisco ISE strips characters starting with the first occurrence of the delimiter character. For example, if the delimiter character is @ and the username is user1@domain, then Cisco ISE submits user1 to the LDAP server.



The <end_string> box cannot contain the following special characters: the pound sign (#), the question mark (?), the quotation mark ("), the asterisk (*), the right angle bracket (>), and the left angle bracket (<). Cisco ISE does not allow these characters in usernames.

LDAP Group Settings

Table 4. LDAP Group Settings

Field Name

Usage Guidelines


Choose Add > Add Group to add a new group or choose Add > Select Groups From Directory to select the groups from the LDAP directory.

If you choose to add a group, enter a name for the new group. If you are selecting from the directory, enter the filter criteria, and click Retrieve Groups. Check the check boxes next to the groups that you want to select and click OK. The groups that you have selected will appear in the Groups window.


When dynamically assigning group based on LDAP membership, authentication must be through LDAP.

LDAP Attribute Settings

Table 5. LDAP Attribute Settings

Field Name

Usage Guidelines


Choose Add > Add Attribute to add a new attribute or choose Add > Select Attributes From Directory to select attributes from the LDAP server.

If you choose to add an attribute, enter a name for the new attribute. If you are selecting from the directory, enter the username and click Retrieve Attributes to retrieve the attributes. Check the check boxes next to the attributes that you want to select, and then click OK.

LDAP Advanced Settings

The following table describes the field in the Advanced Settings tab.

Table 6. LDAP Advanced Settings

Field Name

Usage Guidelines

Enable Password Change

Check this check box to enable the user to change the password in case of password expiry or password reset while using PAP protocol for device admin and RADIUS EAP-GTC protocol for network access. User authentication fails for the unsupported protocols. This option also enables the user to change the password on their next login.

RADIUS Token Identity Sources Settings

The following table describes the fields on the RADIUS Token Identity Sources window, which you can use to configure and connect to an external RADIUS identity source. To view this window, click the Menu icon () and choose Administration > Identity Management > External Identity Sources > RADIUS Token.
Table 7. RADIUS Token Identity Source Settings
Field Name Usage Guidelines


Enter a name for the RADIUS token server. The maximum number of characters allowed is 64.


Enter a description for the RADIUS token server. The maximum number of characters is 1024.

SafeWord Server

Check this check box if your RADIUS identity source is a SafeWord server.

Enable Secondary Server

Check this check box to enable the secondary RADIUS token server for Cisco ISE to use as a backup in case the primary fails. If you check this check box, you must configure a secondary RADIUS token server.

Always Access Primary Server First

Click this option if you want Cisco ISE to always access the primary server first.

Fallback to Primary Server after

Click this option to specify the amount of time in minutes that Cisco ISE can authenticate using the secondary RADIUS token server if the primary server cannot be reached. After this time elapses, Cisco ISE reattempts to authenticate against the primary server.

Primary Server

Host IP

Enter the IP address of the primary RADIUS token server. This field can take as input a valid IP address that is expressed as a string. Valid characters that are allowed in this field are numbers and dot (.).

Shared Secret

Enter the shared secret that is configured on the primary RADIUS token server for this connection.

Authentication Port

Enter the port number on which the primary RADIUS token server is listening.

Server Timeout

Specify the time in seconds that Cisco ISE should wait for a response from the primary RADIUS token server before it determines that the primary server is down.

Connection Attempts

Specify the number of attempts that Cisco ISE should make to reconnect to the primary server before moving on to the secondary server (if defined) or dropping the request if a secondary server is not defined.

Secondary Server

Host IP

Enter the IP address of the secondary RADIUS token server. This field can take as input a valid IP address that is expressed as a string. Valid characters that are allowed in this field are numbers and dot (.).

Shared Secret

Enter the shared secret configured on the secondary RADIUS token server for this connection.

Authentication Port

Enter the port number on which the secondary RADIUS token server is listening. Valid values are from 1 to 65,535. The default is 1812.

Server Timeout

Specify the time in seconds that Cisco ISE should wait for a response from the secondary RADIUS token server before it determines that the secondary server is down.

Connection Attempts

Specify the number of attempts that Cisco ISE should make to reconnect to the secondary server before dropping the request.

RSA SecurID Identity Source Settings

The following table describes the fields on the RSA SecurID Identity Sources window, which you can use to create and connect to an RSA SecurID identity source. To view this window, click the Menu icon () and choose Administration > Identity Management > External Identity Sources > RSA SecurID.

RSA Prompt Settings

The following table describes the fields in the RSA Prompts tab.

Table 8. RSA Prompt Settings

Field Name

Usage Guidelines

Enter Passcode Prompt

Enter a text string to obtain the passcode.

Enter Next Token Code

Enter a text string to request the next token.

Choose PIN Type

Enter a text string to request the PIN type.

Accept System PIN

Enter a text string to accept the system-generated PIN.

Enter Alphanumeric PIN

Enter a text string to request an alphanumeric PIN.

Enter Numeric PIN

Enter a text string to request a numeric PIN.

Re-enter PIN

Enter a text string to request the user to re-enter the PIN.

RSA Message Settings

The following table describes the fields in the RSA Messages tab.

Table 9. RSA Messages Settings

Field Name

Usage Guidelines

Display System PIN Message

Enter a text string to label the system PIN message.

Display System PIN Reminder

Enter a text string to inform the user to remember the new PIN.

Must Enter Numeric Error

Enter a message that instructs users to enter only numbers for the PIN.

Must Enter Alpha Error

Enter a message that instructs users to enter only alphanumeric characters for PINs.

PIN Accepted Message

Enter a message that the users see when their PIN is accepted by the system.

PIN Rejected Message

Enter a message that the users see when the system rejects their PIN.

User Pins Differ Error

Enter a message that the users see when they enter an incorrect PIN.

System PIN Accepted Message

Enter a message that the users see when the system accepts their PIN.

Bad Password Length Error

Enter a message that the users see when the PIN that they specify does not fall within the range specified in the PIN length policy.

Cisco ISE Users

In this topic, the term user refers to employees and contractors who access a network regularly, as well as to sponsor users and guest users. A sponsor user is an employee or contractor of an organization who creates and manages guest user accounts through the sponsor portal. A guest user is an external visitor who needs access to an organization’s network resources for a limited period of time.

You must create an account for all the users to gain access to resources and services on the Cisco ISE network. Employees, contractors, and sponsor users should be created from the Admin portal.

You can choose to add the Date Enabled column (Settings > Columns > Date Enabled) and the Days Until Password Expires column (Settings > Columns > Days Until Password Expires) to the Network Access User table in the Network Access Users window (Administration > Identity Management > Identities > Users) to help you sort network access users by using their password expiry information. The Date Enabled and Days Until Password Expires fields are not added by default. You can add them to the Network Access User table using the customization option in the window.

From Cisco ISE Release 3.3, you can add the Date Created column (Settings > Columns > Date Created) and Date Modified column (Settings > Columns > Date Modified) to the Network Access User table to help you sort network access users using this information in the Network Access Users window (Administration > Identity Management > Identities > Users). The Date Created column shows you when a user was created, and the Date Modified column shows you when the details of the user were last modified. These fields are not added by default. You can add them to the Network Access User table using the customization option in the Network Access Users window. These columns can also be sorted in ascending and descending order.


When you upgrade to Cisco ISE Release 3.3, the Date Created and Date Modified fields are marked as Not Applicable (N/A). Hence, the exported CSV file will have blank cells in the Date Created and Date Modified columns for these users. When the details of these users are modified, the Date Modified field will be updated to display the date of modification.

We recommend that the passwords of internal users (Network Access users and Admin users) have at least eight characters.

User Identity

User identity is like a container that holds information about a user and forms their network access credentials. Each user’s identity is defined by data and includes: a username, e-mail address, password, account description, associated administrative group, user group, and role.

User Groups

User groups are a collection of individual users who share a common set of privileges that allow them to access a specific set of Cisco ISE services and functions.

User Identity Groups

A user’s group identity is composed of elements that identify and describe a specific group of users that belong to the same group. A group name is a description of the functional role that the members of this group have. A group is a listing of the users that belong to this group.

Default User Identity Groups

Cisco ISE comes with the following predefined user identity groups:

  • All_Accounts

  • Employee

  • Group_Accounts

  • GuestType_Contractor

  • GuestType_Daily

  • GuestType_SocialLogin

  • GuestType_Weekly

  • Own_Accounts

User Role

A user role is a set of permissions that determine what tasks a user can perform and what services they can access on the Cisco ISE network. A user role is associated with a user group. For example, a network access user.

User Account Custom Attributes

Cisco ISE allows you to restrict network access based on user attributes for both network access users and administrators. Cisco ISE comes with a set of predefined user attributes and also allows you to create custom attributes. Both types of attributes can be used in conditions that define the authentication policy. You can also define a password policy for user accounts so that passwords meet specified criteria.

Custom User Attributes

You can configure more user-account attributes on the User Custom Attributes window (Administration > Identity Management > Settings > User Custom Attributes). You can also view the list of predefined user attributes in this window. You cannot edit the predefined user attributes.

Enter the required details in the User Custom Attributes pane to add a new custom attribute. The custom attributes and the default values that you add on the User Custom Attributes window are displayed while adding or editing a Network Access user (Administration > Identity Management > Identities > Users > Add/Edit) or Admin user (Administration > System > Admin Access > Administrators > Admin Users > Add/Edit). You can change the default values while adding or editing a Network Access or Admin user.

You can select the following data types for the custom attributes on the User Custom Attributes window:

  • String: You can specify the maximum string length (maximum allowed length for a string attribute value).

  • Integer: You can configure the minimum and maximum value (specifies the lowest and the highest acceptable integer value).

  • Enum: You can specify the following values for each parameter:

    • Internal value

    • Display value

    You can also specify the default parameter. The values that you add in the Display field are displayed while adding or editing a Network Access or Admin user.

  • Float

  • Password: You can specify the maximum string length.

  • Long: You can configure the minimum and maximum value.

  • IP: You can specify a default IPv4 or IPv6 address.

  • Boolean: You can set either True or False as the default value.

  • Date: You can select a date from the calendar and set it as the default value. The date is displayed in yyyy-mm-dd format.

Check the Mandatory check box if you want to make an attribute mandatory while adding or editing a Network Access or Admin user. You can also set default values for the custom attributes.

The custom attributes can be used in the authentication policies. The data type and the allowable range that you set for the custom attributes are applied to the custom attribute values in the policy conditions.


Some characters are considered invalid for Attribute Names and Attribute Values. Using the following characters for Attribute Names and Attribute Values is restricted.

  • Attribute Value: @, =, +, or - (do not use these characters at the beginning of an attribute name or value)

  • Attribute Name: ^, =, , \, ", `, |, : (do not use these characters anywhere in the string)

User Authentication Settings

Not all external identity stores allow network access users to change their passwords. See the section for each identity source for more information.

Network-use password rules should be configured in Administration > Identity Management > Settings > User Authentication Settings.

The following section has additional information about some of the fields in the Password Policy tab.

  • Required Characters: If you configure a user-password policy that requires upper or lowercase characters, and the user’s language does not support these characters, the user cannot set a password. To support UTF-8 characters, uncheck the following check boxes:

    • Lowercase Alphabetic Characters

    • Uppercase Alphabetic Characters

  • Password Change Delta: Specifies the minimum number of characters that must change when changing the current password to a new password. From Cisco ISE 3.2, the passowrd range has changed to 1-20. Cisco ISE does not consider changing the position of a character as a change. For Example, if the password delta is 3, and the current password is "?Aa1234?", then "?Aa1567?" ("5","6" and "7" are the three new characters) is a valid new password. "?Aa1562?" fails, because "?","2", and "?" characters are in the current password. "Aa1234??" fails, because even though the character positions changed, the same characters are in the current password.

    Password change delta also considers the previous X passwords, where X is the value of Password must be different from the previous versions. If your password delta is 3, and your password history is 2, then you must change the four characters that are not a part of the past two passwords.

  • Dictionary words: Check this check box to restrict the use of any dictionary word, its characters in reverse order, or its letters replaced with other characters.

    Substitution of "$" for "s", "@" for "a", "0" for "o", "1" for "l", "!" for "i", "3" for "e", is not permitted. For example, "Pa$$w0rd".

    • Default Dictionary: Choose this option to use the default Linux dictionary in Cisco ISE. The default dictionary contains approximately 480,000 English words.

    • Custom Dictionary: Choose this option to use your customized dictionary. Click Choose File to select a custom dictionary file. The text file must be of newline-delimited words, .dic extension, and size less than 20 MB.

  • You can use the Password Lifetime section to update the password reset interval and reminder. To set the lifetime of a password, check the Change password every __ days (valid range 1 to 3650) check box, and enter the number of days in the input field. A user account can be disabled if a user does not change the password in the specified time by selecting the Disable User Account option. Choose the Require password change on next login to prompt the user to change their password the next time they login to Cisco ISE.

    To send a reminder email for password reset, check the Display Reminder __ Days Prior to Password Expiration check box and enter the number of days before which a reminder email should be sent to the email address configured for the network access user. While creating a network access user, you can add the email address in the Administration > Identity Management > Identities > Users > Add Network Access User window to send an email notification for password reset.


    • The reminder email is sent from the following email address: iseadminportal@<ISE-Primary-FQDN>. You must explicitly permit access for this sender.

    • By default, the reminder email has the following content: Your network access password will expire on <password expiry date and time>. Please contact your system administrator for assistance.

      From Cisco ISE Release 3.2, you can customize the email content after the Please contact your system administrator for assistance portion of the email notification.
    • From Cisco ISE Release 3.2, if the Change Password check box is not checked under the Password Lifetime field (Administration > Identity Management > Settings > User Authentication Settings > Password Policy > Password Lifetime), the Password Lifetime field is not displayed for this user in the Network Access Users window.

  • Lock/Suspend Account with Incorrect Login Attempts: Use this option to suspend or lock an account if the login attempt failed for the specified number of times. The valid range is from 3 to 20.

  • Account Disable Policy: Configure the rules about when to disable an existing user account. See Disable User Accounts Globally for more information.

Generate Automatic Password for Users and Administrators

You can use the Generate Password option on the user and administrator creation window to generate instant password adhering to Cisco ISE password policies. This helps the users or administrators to use the password generated by Cisco ISE than spending time in thinking of a safe password to be configured.

The Generate Password option is available in the following windows:
  • Administration > Identity Management > Identities > Users.

  • Administration > System > Admin Access > Administrators > Admin Users.

  • Settings > Account Settings > Change Password.

Internal User Operations

To Add Users

Cisco ISE allows you to view, create, modify, duplicate, delete, change the status, import, export, or search for attributes of Cisco ISE users.

If you are using a Cisco ISE internal database, you must create an account for any new user who needs access to the resources or services on a Cisco ISE network.


Step 1

Choose Administration > Identity Management > Identities > Users.

You can also create users by accessing the Work Centers > Device Administration > Identities > Users window.

Step 2

Click Add (+) to create a new user.

Step 3

Enter values in all the fields the fields.



Do not include !, %, :, ;, [, {, |, }, ], `, ?, =, <, >, \ and control characters in the username. Username with only spaces is also not allowed. If you use the Cisco ISE Internal Certificate Authority (CA) for BYOD, the username that you provide here is used as the Common Name for the endpoint certificate. Cisco ISE Internal CA does not support "+" or "*" characters in the Common Name field.

From Cisco ISE Release 3.2, as an internal user of Cisco ISE, you can:

  1. Add an alias to your account name in the Account Name Alias field. Your account name alias will be used to email notifications about password expiration. If multiple internal users use the same email address, adding an alias helps you differentiate who the email recipient must be. The content of this notification email can be edited in the User Authentication Settings window (Administration > Identity Management > Settings > User Authentication Settings).

  2. Enter the lifetime of the Login and Enable passwords of a user by using the Password Lifetime field.

    • Click the With Expiration radio button to set a password with a defined lifetime. The number of days remaining till password expiry is displayed below this field.

      To prevent automatic disablement of the account after password expiration, change the Password Lifetime configuration in the User Authentication Settings window. This also applies to the Enable password unless it is explicitly set as Never Expires in the User Authentication Settings window (Administration > Identity Management > Settings > User Authentication Settings).

    • Click the Never Expires radio button to prevent the Login and Enable passwords of a user from expiring. This overrides the global password settings, and the user account will not be disabled. This field does not apply to Cisco ISE admin users.


      • The Password Lifetime field is not available to Cisco ISE admin users who are also admins. A green check mark symbol can be seen against the Cisco ISE user who is also an admin in the Network Access User table.

      • The Password Lifetime field is only accessible when Internal Users is chosen as the Password Type.

      • If the Change Password check box is left unchecked under the Password Lifetime field (Administration > Identity Management > Settings > User Authentication Settings > Password Policy > Password Lifetime), the Password Lifetime option is not shown in the Passwords section of the Network Access Users window.

Step 4

Click Submit to create a new user in the Cisco ISE internal database.

Export Cisco ISE User Data

You can export user data from the Cisco ISE internal database. Cisco ISE allows you to export user data in the form of a password-protected CSV file.


Step 1

Choose Administration > Identity Management > Identities > Users.

Step 2

Check the check box that corresponds to the user(s) whose data you want to export.

Step 3

Click Export Selected.

Step 4

In the Key field, enter a key for encrypting the password.

Step 5

Click Start Export to create a users.csv file.

Step 6

Click OK to export the users.csv file.

When you upgrade to Cisco ISE Release 3.3, the Date Created and Date Modified fields are marked as Not Applicable (N/A). Hence, the exported CSV file will have blank cells in the Date Created and Date Modified columns for these users.

Import Cisco ISE Internal Users

You can import new user data into Cisco ISE with a CSV file, to create new internal accounts. A template CSV file is available for download while you import user accounts. Sponsors can import users in the Sponsor portal. See Configure Account Content for Sponsor Account Creation for information about configuring the information types that the sponsor guest accounts use.


If the CSV file contains custom attributes, the data type and the allowable range that you set for the custom attributes will be applied to the custom attribute values during import.


Step 1

Choose Administration > Identity Management > Identities > Users.

Step 2

Click Import to import users from a comma-delimited text file.

If you do not have a comma-delimited text file, click Generate a Template to create a CSV file with the heading rows filled in.

Step 3

In the File field, enter the filename containing the usernames to import, or click Browse and navigate to the location where the file is present.

Step 4

Check the Create new user(s) and update existing user(s) with new data check box to create new users and update existing user details.

Step 5

Click Save.

We recommend that you do not delete all the network access users at a time, because this may lead to CPU spike and the services to crash, especially if you are using a very large database.

The import date will be considered as the creation date for imported Cisco ISE internal users.

Endpoint Settings

The following table describes the fields on the Endpoints window, which you can use to create endpoints and assign policies for endpoints. To view this window, click the Menu icon () and choose Work Centers > Network Access > Identities > Endpoints.

Table 10. Endpoint Settings

Field Name

Usage Guidelines

MAC Address

Enter the MAC address in hexadecimal format to create an endpoint statically.

The MAC address is the device identifier for the interface that is connected to the Cisco ISE enabled network.

Static Assignment

Check this check box when you want to create an endpoint statically in the Endpoints window and the status of static assignment is set to static.

You can toggle the status of static assignment of an endpoint from static to dynamic or from dynamic to static.

Policy Assignment

(Disabled by default unless the Static Assignment is checked) Choose a matching endpoint policy from the Policy Assignment drop-down list.

You can do one of the following:

  • If you do not choose a matching endpoint policy, but use the default endpoint policy Unknown, then the static assignment status is set to dynamic for the endpoint that allows dynamic profiling of an endpoint.

  • If you choose a matching endpoint policy other than Unknown, then the static assignment status is set to static for that endpoint and the Static Assignment check box is automatically checked.

Static Group Assignment

Check this check box when you want to assign an endpoint to an identity group statically.

In you check this check box, the profiling service does not change the endpoint identity group the next time during evaluation of the endpoint policy for these endpoints, which were previously assigned dynamically to other endpoint identity groups.

If you uncheck this check box, then the endpoint identity group is dynamic as assigned by the ISE profiler based on policy configuration. If you do not choose the Static Group Assignment option, then the endpoint is automatically assigned to the matching identity group the next time during evaluation of the endpoint policy.

Identity Group Assignment

Choose an endpoint identity group to which you want to assign the endpoint.

You can assign an endpoint to an identity group when you create an endpoint statically, or when you do not want to use the Create Matching Identity Group option during evaluation of the endpoint policy for an endpoint.

Cisco ISE includes the following system created endpoint identity groups:

  • Blocked List

  • GuestEndpoints

  • Profiled

    • Cisco IP-Phone

    • Workstation

  • RegisteredDevices

  • Unknown

Active Directory user endpoints that repeatedly fail RADIUS authentication for the same reason will be automatically rejected for a certain period, to avoid unnecessary processing by Cisco ISE and to protect against potential denial of service attacks.

To view a list of rejected endpoints, choose Operations > Reports > Rejected Endpoints. The data for this report will be available and displayed only when Advantage License is installed.


AD user endpoints that fail RADIUS authentication with the following two error messages are not rejected:



Endpoint Import from LDAP Settings

The following table describes the fields on the Import from LDAP window, which you can use to import endpoints from an LDAP server. To view this window, click the Menu icon () and choose Work Centers > Network Access > Identities > Endpoints.

Table 11. Endpoint Import from LDAP Settings

Field Name

Usage Guidelines

Connection Settings


Enter the hostname, or the IP address of the LDAP server.


Enter the port number of the LDAP server. You can use the default port 389 to import from an LDAP server, and the default port 636 to import from an LDAP server over SSL.



Cisco ISE supports any configured port number. The configured value should match the LDAP server connection details.

Enable Secure Connection

Check the Enable Secure Connection check box to import from an LDAP server over SSL.

Root CA Certificate Name

Click the drop-down arrow to view the trusted CA certificates.

The Root CA Certificate Name refers to the trusted CA certificate that is required to connect to an LDAP server. You can add (import), edit, delete, and export trusted CA certificates in Cisco ISE.

Anonymous Bind

You must enable either the Anonymous Bind check box, or enter the LDAP administrator credentials from the slapd.conf configuration file.

Admin DN

Enter the distinguished name (DN) configured for the LDAP administrator in the slapd.conf configuration file.

Admin DN format example: cn=Admin,, dc=com


Enter the password configured for the LDAP administrator in the slapd.conf configuration file.

Base DN

Enter the distinguished name of the parent entry.

Base DN format example:, dc=com.

Query Settings

MAC Address objectClass

Enter the query filter, which is used for importing the MAC address, for example, ieee802Device.

MAC Address Attribute Name

Enter the returned attribute name for import, for example, macAddress.

Profile Attribute Name

Enter the name of the LDAP attribute. This attribute holds the policy name for each endpoint entry that is defined in the LDAP server.

When you configure the Profile Attribute Name field, consider the following:

  • If you do not specify this LDAP attribute in the Profile Attribute Name field or configure this attribute incorrectly, then endpoints are marked “Unknown” during an import operation, and these endpoints are profiled separately to the matching endpoint profiling policies.

  • If you configure this LDAP attribute in the Profile Attribute Name field, the attribute values are validated to ensure that the endpoint policy matches with an existing policy in Cisco ISE, and endpoints are imported. If the endpoint policy does not match with an existing policy, then those endpoints will not be imported.

Time Out

Enter the time in seconds. The valid range is from 1 to 60 seconds.

Identity Group Operations

Create a User Identity Group

You must create a user identity group before you can assign a user to it.


Step 1

Choose Administration > Identity Management > Groups > Identity Groups > User Identity Groups > Add.

You can also create a user identity group by accessing the Work Centers > Device Administration > User Identity Groups > Identity Groups > User Identity Groups > Add page.

Step 2

Enter values in the Name and Description fields. Supported characters for the Name field are space # $ & ‘ ( ) * + - . / @ _ .

Step 3

Click Submit.

Export User Identity Groups

Cisco ISE allows you to export locally configured user identity groups in the form of a csv file.


Step 1

Choose Administration > Identity Management > Groups > Identity Groups > User Identity Groups.

Step 2

Check the check box that corresponds to the user identity group that you want to export, and click Export.

Step 3

Click OK.

Import User Identity Groups

Cisco ISE allows you to import user identity groups in the form of a csv file.


Step 1

Choose Administration > Identity Management > Groups > Identity Groups > User Identity Groups.

Step 2

Click Generate a Template to get a template to use for the import file.

Step 3

Click Import to import network access users from a comma-delimited text file.

Step 4

Check the Overwrite existing data with new data check box if you want to both add a new user identity group and update existing user identity groups.

Step 5

Click Import.

Step 6

Click Save to save your changes to the Cisco ISE database.

Endpoint Identity Group Settings

The following table describes the fields on the Endpoint Identity Groups window, which you can use to create an endpoint group. To view this window, click the Menu icon () and choose Administration > Identity Management > Groups > Endpoint Identity Groups.

Table 12. Endpoint Identity Group Settings

Field Name

Usage Guidelines


Enter the name of the endpoint identity group that you want to create.


Enter a description for the endpoint identity group that you want to create.

Parent Group

Choose an endpoint identity group from the Parent Group drop-down list to which you want to associate the newly created endpoint identity group.

Configure Maximum Concurrent Sessions

For optimal performance, you can limit the number of concurrent user sessions. You can set the limits at the user level or at the group level. Depending upon the maximum user session configurations, the session count is applied to the user.

You can configure the maximum number of concurrent sessions for each user per ISE node. Sessions above this limit are rejected.


Step 1

Choose Administration > System > Settings > Max Sessions > User.

Step 2

Do one of the following:

  • Enter the maximum number of concurrent sessions that are allowed for each user in the Maximum Sessions per User field.

  • Check the Unlimited Sessions check box if you want the users to have unlimited sessions. This option is selected by default.

Step 3

Click Save.

If the maximum number of sessions is configured at both the user and group level, the smaller value will have precedence. For example, if the maximum session value for a user is set as 10 and the maximum session value of the group to which the user belongs is set as 5, the user can have a maximum of 5 sessions only.


The maximum concurrent session count is managed by the PSN in which it is configured. This count is not synchronized among the PSNs. If the authentication is done in Cisco ISE, where the maximum concurrent sessions per user or group is configured, and authorization is done in a different proxy server, then the maximum concurrent session limit is applicable only in the Cisco ISE and is not applied to the proxy server.

Maximum concurrent session count is implemented in the runtime process and the data is stored only in the memory. If the PSN is restarted, the maximum concurrent session counters are reset.

Maximum concurrent session count is case insensitive with respect to usernames irrespective of the Network Access Device used (when the same PSN node is used)

Maximum Concurrent Sessions for a Group

You can configure the maximum number of concurrent sessions for the identity groups.

Sometimes all the sessions can be used by a few users in the group. Requests from other users to create a new session are rejected because the number of sessions has already reached the maximum configured value. Cisco ISE allows you to configure a maximum session limit for each user in the group; each user belonging to a specific identity group cannot open sessions more than the session limit, irrespective of the number of sessions other users from the same group have opened. When calculating the session limit for a particular user, the lowest configuration value takes the precedence—whether the global session limit per user, the session limit per identity group that the user belongs to, or the session limit per user in the group.

To configure maximum number of concurrent sessions for an identity group:


Step 1

Choose Administration > System > Settings > Max Sessions > Group.

All the configured identity groups are listed.

Step 2

Click the Edit icon next to the group that you want to edit and enter the values for the following:

  • Maximum number of concurrent sessions permitted for that group. If the maximum number of sessions for a group is set as 100, the total count of all sessions established by all members of that group cannot exceed 100.



    Group-level session limits are applied based on the group hierarchy.

  • Maximum number of concurrent sessions permitted for each user in that group. This option overrides the maximum number of sessions for a group.

If you want to set the maximum number of concurrent sessions for a group or maximum concurrent sessions for the users in a group as Unlimited, leave the Max Sessions for Group/Max Sessions for User in Group field blank, click the Tick icon, and then click Save. By default, both these values are set as Unlimited.

Step 3

Click Save.

Configure Counter Time Limit

You can configure the timeout value for concurrent user sessions.


Step 1

Choose Administration > System > Settings > Max Sessions > Counter Time Limit.

Step 2

Select one of the following options:

  • Unlimited: Check this check box if you do not want to set any timeout or time limit for the sessions.

  • Delete sessions after: You can enter the timeout value for concurrent sessions in minutes, hours, or days. When a session exceeds the time limit, Cisco ISE deletes the session from the counter and updates the session count, thereby allowing new sessions. Users will not be logged out if their sessions exceed the time limit.

Step 3

Click Save.

You can reset the session count from the RADIUS Live Logs window. Click the Actions icon displayed on the Identity, Identity Group, or Server column to reset the session count. When you reset a session, the session is deleted from the counter (thereby allowing new sessions). Users will not be disconnected if their sessions are deleted from the counter.

Disable Account Policy

While authenticating or querying a user or administrator, Cisco ISE checks the global account disable policy settings at Administration > Identity Management > Settings > User Authentication Settings and authenticates or returns a result based on the configuration.

Cisco ISE verifies the following three policies:

  • Disable user accounts that exceed a specified date (yyyy-mm-dd): Disables the user account on the specified date. However, the account disable policy settings for an individual network access user configured at Administration > Identity Management > Identities > Users > Account Disable Policy takes precedence over the global settings.

  • Disable user account after n days of account creation or last enable: Disables user accounts after specific number of days of account creation or the last date when the account was active. You can check the user status at Administration > Identity Management > Identities > Users > Status.

  • Disable accounts after n days of inactivity: Disables administrator and user accounts that have not been authenticated for the configured consecutive number of days. The disable accounts after n days of inactivity option is only applicable for Cisco ISE Internal Users using internal passwords.

When you migrate from Cisco Secure ACS to Cisco ISE, the account disable policy settings specified for a network access user in Cisco Secure ACS is migrated to Cisco ISE.


A collection filter configured for any Filter Type filters out the authentication syslog messages that are sent to the monitoring node. For more information, see the topic "Collection Filters" in the chapter "Maintain and Monitor" in the Cisco ISE Administrator Guide.

If you configure a collection filter (Administration > System > Logging > Collection Filter) for any Attribute and Filter Type; and you have also selected the Disable account after n days of inactivity check box (Administration > Identity Management > User Authentication Settings > Disable Account Policy), your account might be disabled as a result of the syslog messages of successful authentication not being relayed to the monitoring node.

Disable Individual User Accounts

Cisco ISE allows you to disable the user account for each individual user if the disable account date exceeds the date specified by the admin user.


Step 1

Choose Administration > Identity Management > Identities > Users.

Step 2

Click Add to create a new user or check the check box next to an existing user and click Edit to edit the existing user details.

Step 3

Check the Disable account if the date exceeds check box and select the date.

This option allows you to disable the user account when the configured date exceeds at user level. You can configure different expiry dates for different users as required. This option overrules the global configuration for each individual user. The configured date can either be the current system date or a future date.



You are not allowed to enter a date earlier than the current system date.

Step 4

Click Submit to configure the account disable policy for an individual user.

Disable User Accounts Globally

You can disable user accounts on a certain date, several days after account creation or last access date, and after several days of account inactivity.


Step 1

Choose Administration > Identity Management > Settings > User Authentication Settings > Account Disable Policy.

Step 2

Perform one of the following actions:

  • Check the Disable account if date exceeds check box and select the appropriate date in yyyy-mm-dd format. This option allows you to disable the user account after the configured date. The Disable account if date exceeds setting at user level takes precedence over this global configuration.

  • Check the Disable account after n days of account creation or last enable check box and enter the number of days. This option disables the user account when the account creation date or last access date exceeds the specified number of days. Administrators can manually enable the disabled user accounts, which reset the number of days count.

  • Check the Disable account after n days of inactivity check box and enter the number of days. This option disables the user account when the account is inactive for the specified number of days.

Step 3

Click Submit to configure the global account disable policy.



When you are using the Disable account after n days of inactivity option to disable inactive users of Cisco ISE, the endpoints logged to My Devices portal will not have the number of active days reset. This is because My Devices portal doesn't send any profiling updates or accounting information.

Internal and External Identity Sources

Identity sources are databases that store user information. Cisco ISE uses user information from the identity source to validate user credentials during authentication. User information includes group information and other attributes that are associated with the user. You can add, edit, and delete user information from identity sources.

Cisco ISE supports internal and external identity sources. You can use both sources to authenticate sponsor and guest users.

Internal Identity Sources

Cisco ISE has an internal user database whree you can store user information. Users in the internal user database are called internal users. Cisco ISE also has an internal endpoint database that stores information about all the devices and endpoints that connect to it.

External Identity Sources

Cisco ISE allows you to configure the external identity source that contains user information. Cisco ISE connects to an external identity source to obtain user information for authentication. External identity sources also include certificate information for the Cisco ISE server and certificate authentication profiles. Cisco ISE uses authentication protocols to communicate with external identity sources.

Note the following points while configuring policies for internal users:

  • Configure an authentication policy to authenticate internal users against an internal identity store.

  • Configure an authorization policy for internal user groups by selecting the following option:
    Identitygroup.Name EQUALS User Identity Groups: Group_Name

The following table lists authentication protocols and the external identity sources that they support.

Table 13. Authentication Protocols and Supported External Identity Sources

Protocol (Authentication Type)

Internal Database

Active Directory


RADIUS Token Server or RSA



EAP-GTC, PAP (plain text password)







MS-CHAP password hash:


EAP-MSCHAPv2 (as inner method of PEAP, EAP-FAST, EAP-TTLS or TEAP)


















(certificate retrieval)



For TLS authentications (EAP-TLS and PEAP-TLS), identity sources are not required but can optionally be added for authorization policy conditions.







Credentials are stored differently, depending on the external data source connection type, and the features used.

  • When joining an Active Directory Domain (but not for Passive ID), the credentials that are used to join are not saved. Cisco ISE creates an AD computer account, if it does not exist, and uses that account to authenticate users.

  • For LDAP and Passive ID, the credentials that are used to connect to the external data source are also used to authenticate users.

Create an External Identity Source

Cisco ISE can connect with external identity sources such as Active Directory, LDAP, RADIUS Token, and RSA SecurID servers to obtain user information for authentication and authorization. External identity sources also include certificate authentication profiles that you need for certificate-based authentications.


To work with passive identity services, which enable you to receive and share authenticated user identities, see Additional Passive Identity Service Providers.


Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > Identity Management > External Identity Sources.

Step 2

Choose one of these options:

Authenticate Internal Users Against External Identity Store Password

Cisco ISE allows you to authenticate internal users against external identity store passwords. Cisco ISE provides an option to select the password identity store for internal users from the Administration > Identity Management > Identities > Users window. Administrators can select the identity store from the list of Cisco ISE External Identity Sources while adding or editing users in the Users window. The default password identity store for an internal user is the internal identity store. Cisco Secure ACS users will retain the same password identity store during and after migration from Cisco Secure ACS to Cisco ISE.

Cisco ISE supports the following external identity stores for password types:

  • Active Directory

  • LDAP

  • ODBC

  • RADIUS Token server

  • RSA SecurID server


As per the current design, if authentication is done against an external ID store, then the internal user identity group name cannot be configured in authorization policy. In order to use internal user identity group for authorization, authentication policy must be configured to authenticate against Internal Users ID store and password type, which can be either internal or external, must be selected in user configuration.

Certificate Authentication Profiles

For each profile, you must specify the certificate field that should be used as the principal username and whether you want a binary comparison of the certificates.

Add a Certificate Authentication Profile

You must create a certificate authentication profile if you want to use the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) certificate-based authentication method. Instead of authenticating via the traditional username and password method, Cisco ISE compares a certificate received from a client with one in the server to verify the authenticity of a user.

Before you begin

You must be a Super Admin or System Admin.


Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > Identity Management > External Identity Sources > Certificate Authentication Profile > Add.

Step 2

Enter the name and an optional description for the certificate authentication profile.

Step 3

Select an identity store from the drop-down list.

Basic certificate checking does not require an identity source. If you want binary comparison checking for the certificates, you must select an identity source. If you select Active Directory as an identity source, subject and common name and subject alternative name (all values) can be used to look up a user.

Step 4

Select the use of identity from Certificate Attribute or Any Subject or Alternative Name Attributes in the Certificate. This will be used in logs and for lookups.

If you choose Any Subject or Alternative Name Attributes in the Certificate, Active Directory UPN will be used as the username for logs and all subject names and alternative names in a certificate will be tried to look up a user. This option is available only if you choose Active Directory as the identity source.

Step 5

Choose when you want to Match Client Certificate Against Certificate In Identity Store. For this you must select an identity source (LDAP or Active Directory.) If you select Active Directory, you can choose to match certificates only to resolve identity ambiguity.

  • Never: This option never performs a binary comparison.
  • Only to resolve identity ambiguity: This option performs the binary comparison of client certificate to certificate on account in Active Directory only if ambiguity is encountered. For example, several Active Directory accounts matching to identity names from certificate are found.
  • Always perform binary comparison: This option always performs the binary comparison of client certificate to certificate on account in identity store (Active Directory or LDAP).

Step 6

Click Submit to add the certificate authentication profile or save the changes.

Active Directory as an External Identity Source

Cisco ISE uses Microsoft Active Directory as an external identity source to access resources such as users, machines, groups, and attributes. User and machine authentication in Active Directory allows network access only to users and devices that are listed in Active Directory.

After a Cisco ISE node joins Active Directory, in Active Directory, it is a member of the Authenticated Users group. The Authenticated Users group is a member of the Pre-Windows 2000 group by default. If you disable the Pre-Windows 2000 group or remove Authenticated Users from the Pre-Windows 2000 group, authentication failures occur.

We recommend that you do not disable the Pre-windows 2000 group. However, if you must disable this group for any reason, grant the Read Remote Access Information permission to Cisco ISE in AD for the relevant users or users' folders.

ISE Community Resource

ISE Administrative Portal Access with AD Credentials Configuration Example

Active Directory-Supported Authentication Protocols and Features

Active Directory supports features such as user and machine authentications, changing Active Directory user passwords with some protocols. The following table lists the authentication protocols and the respective features that are supported by Active Directory.

Table 14. Authentication Protocols Supported by Active Directory

Authentication Protocols


EAP-FAST and password based Protected Extensible Authentication Protocol (PEAP)

User and machine authentication with the ability to change passwords using EAP-FAST and PEAP with an inner method of MS-CHAPv2 and EAP-GTC

Password Authentication Protocol (PAP)

User and machine authentication

Microsoft Challenge Handshake Authentication Protocol Version 1 (MS-CHAPv1)

User and machine authentication

Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAPv2)

User and machine authentication

Extensible Authentication Protocol-Generic Token Card (EAP-GTC)

User and machine authentication

Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)

  • User and machine authentication

  • Groups and attributes retrieval

  • Binary certificate comparison

Extensible Authentication Protocol- Flexible Authentication via Secure Tunneling-Transport Layer Security (EAP-FAST-TLS)

  • User and machine authentication

  • Groups and attributes retrieval

  • Binary certificate comparison

Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS)

  • User and machine authentication

  • Groups and attributes retrieval

  • Binary certificate comparison

Lightweight Extensible Authentication Protocol (LEAP)

User authentication

Active Directory Attribute and Group Retrieval for Use in Authorization Policies

Cisco ISE retrieves user or machine attributes and groups from Active Directory for use in authorization policy rules. These attributes can be used in Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of authentication.

Cisco ISE may use groups in external identity stores to assign permissions to users or computers; for example, to map users to sponsor groups. You should note the following restrictions on group memberships in Active Directory:

  • Policy rule conditions may reference any of the following: a user’s or computer’s primary group, the groups of which a user or computer is a direct member, or indirect (nested) groups.

  • Domain local groups outside a user’s or computer’s account domain are not supported.


You can use the value of the Active Directory attribute, msRadiusFramedIPAddress, as an IP address. This IP address can be sent to a network access server (NAS) in an authorization profile. The msRADIUSFramedIPAddress attribute supports only IPv4 addresses. Upon user authentication, the msRadiusFramedIPAddress attribute value fetched for the user will be converted to IP address format.

Attributes and groups are retrieved and managed per join point. They are used in authorization policy (by selecting first the join point and then the attribute). You cannot define attributes or groups per scope for authorization, but you can use scopes for authentication policy. When you use a scope in authentication policy, it is possible that a user is authenticated via one join point, but attributes and/or groups are retrieved via another join point that has a trust path to the user's account domain. You can use authentication domains to ensure that no two join points in one scope have any overlap in authentication domains.

During the authorization process in a multi join point configuration, Cisco ISE will search for join points in the order in which they listed in the authorization policy, only until a particular user has been found. Once a user has been found the attributes and groups assigned to the user in the join point, will be used to evaluate the authorization policy.

In a multi join point configuration, if authentication is successful for the same identity from each of the join points individually, then this authentication fails if it is done against the identity source sequence "All_AD_Join_Points".

In a multi join point configuration, if Active Directory group retrieval is successful for the same identity from each of the join points individually, then Active Directory group retrieval fails if:

  • different join points are used for authentication and authorization.

  • authentication uses EAP-TLS without Binary Comparison (Match Client Certificate Against Certificate In Identity Store is set to Never in the Certificate Authentication Profile) and there is an unmatched authorization rule with a different join point ahead of the matched authorization rule.

  • authentication uses EAP-TLS without Binary Comparison (Match Client Certificate Against Certificate In Identity Store is set to Never in Certificate Authentication Profile) and Machine Access Restriction (MAR) is enabled with the endpoint using a different join point within the MAR period, from the join point in the current matched authorization rule.


In a multi join point configuration, Active Directory group retrieval is successful for each of the join points individually, but it fails if the authentication rule is configured with an identity source sequence that includes "All_AD_Join_Points". Active Directory group retrieval also fails if different join points are used for authorization and authentication.

See Microsoft-imposed limits on the maximum number of usable Active Directory groups:

An authorization policy fails if the rule contains an Active Directory group name with special characters such as /, !, @, \, #, $, %, ^, &, *, (, ), _, +, or ~.

Admin user login through Active Directory might fail if the admin username contains $ character.

Use Explicit UPN

To reduce ambiguity when matching user information against Active Directory's User-Principal-Name (UPN) attributes, you must configure Active Directory to use Explicit UPN. Using Implicit UPN can produce ambiguous results if two users have the same value for sAMAccountName.

To set Explicit UPN in Active Directory, open the Advanced Tuning page, and set the attribute REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\UseExplicitUPN to 1.

Support for Boolean Attributes

Cisco ISE supports retrieving Boolean attributes from Active Directory and LDAP identity stores.

You can configure the Boolean attributes while configuring the directory attributes for Active Directory or LDAP. These attributes are retrieved upon authentication with Active Directory or LDAP.

The Boolean attributes can be used for configuring policy rule conditions.

The Boolean attribute values are fetched from Active Directory or LDAP server as String type. Cisco ISE supports the following values for the Boolean attributes:

Boolean attribute

Supported values


t, T, true, TRUE, True, 1


f, F, false, FALSE, False, 0


Attribute substitution is not supported for the Boolean attributes.

If you configure a Boolean attribute (for example, msTSAllowLogon) as String type, the Boolean value of the attribute in the Active Directory or LDAP server will be set for the String attribute in Cisco ISE. You can change the attribute type to Boolean or add the attribute manually as Boolean type.

Active Directory Certificate Retrieval for Certificate-Based Authentication

Cisco ISE supports certificate retrieval for user and machine authentication that uses the EAP-TLS protocol. The user or machine record on Active Directory includes a certificate attribute of the binary data type. This certificate attribute can contain one or more certificates. Cisco ISE identifies this attribute as userCertificate and does not allow you to configure any other name for this attribute. Cisco ISE retrieves this certificate and uses it to perform binary comparison.

The certificate authentication profile determines the field where the username is taken from in order to lookup the user in Active Directory to be used for retrieving certificates, for example, Subject Alternative Name (SAN) or Common Name. After Cisco ISE retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, Cisco ISE compares the certificates to check for one that matches. When a match is found, the user or machine authentication is passed.

Active Directory User Authentication Process Flow

When authenticating or querying a user, Cisco ISE checks the following:

  • MS-CHAP and PAP authentications check if the user is disabled, locked out, expired or out of logon hours and the authentication fails if any of these conditions are true.

  • EAP-TLS authentications checks if the user is disabled or locked out and the authentication fails if any of these conditions are met.

Connect Microsoft Entra ID with Cisco ISE

From Cisco ISE Release 3.1, Cisco ISE supports endpoint authentication and authorization with Microsoft Entra ID. Cisco ISE Release 3.1 supports only the Resource Owner Password Credentials (ROPC) method. Cisco ISE Release 3.2 supports EAP-TLS and TEAP methods in addition to the ROPC flow.

Configure Resource Owner Password Credentials Flow to Authenticate Users with Microsoft Entra ID


The Resource Owner Password Credentials (ROPC) flow in Cisco ISE is a controlled introduction feature. We recommend that you thoroughly test this feature in a test environment before using it in a production environment.

Resource Owner Password Credentials (ROPC) is an OAuth 2.0 grant type that allows Cisco ISE to carry out authorization and authentication in a network with cloud-based identity providers.

Using the ROPC flow, Cisco ISE validates a user’s credentials with a cloud-based identity source. The ROPC flow supports plaintext authentication protocols.

Cisco ISE currently supports Microsoft Entra ID through the ROPC flow.

Configure an Application for Resource Owner Password Credentials Flow in Microsoft Entra ID


Step 1

Log in to the Azure portal.

Step 2

Click the Directory+Application filter icon in the top navigation bar. Choose the Microsoft Entra ID tenant to which an ROPC-enabled application must be added.

Step 3

Use the search bar to find and choose App Registrations.

Step 4

Click + New Registration.

Step 5

In the Register an Application window displayed, enter a meaningful name for this app in the Name field.

Step 6

In the Supported account types area, click Accounts in this organizational directory only.

Step 7

Click Register.

Step 8

In the new window displayed, click Certificates & Secrets from the left menu pane.

Step 9

In the Client Secrets area, click + New Client Secret.

Step 10

In the Add a Client Secret dialog box displayed, enter a description in the Description field.

Step 11

In the Expiry area, click Never.

Step 12

Click Add.

Step 13

Click the copy to clipboard icon to copy the shared secret. You will need this value when configuring the ROPC flow in Cisco ISE.

Step 14

Click Overview in the left menu pane, and copy the following values to use in Cisco ISE when configuring the ROPC flow.

  • Application (client) ID.

  • Directory (tenant) ID.

Step 15

To enable the ROPC flow for this application, click Authentication in the left menu pane. In the Advanced Settings area, ensure that the toggle button is set to Yes.

Do not perform Step 15 if you want to use this application only for EAP-TLS or TEAP workflows.

Step 16

To add a groups claim to the app, click Token Configuration in the left menu pane.

Step 17

Click + Add Groups Claim.

Step 18

In the Edit Groups Claim dialog box, check the Security groups check box.

Step 19

Click Save.

Step 20

To enable the use of APIs, click API Permissions in the left menu pane.

Step 21

Click + Add A Permission.

Step 22

In the Microsoft APIs area, click Microsoft Graph.

Step 23

Click Application Permissions.

Step 24

In the Group drop-down area, check the Group.Read.All check box.

To use this application for EAP-TLS or TEAP workflows, check the User.Read and User.Read.All check boxes as well.

Step 25

Click Add Permissions.

Step 26

Click Grant Admin Consent for <user>, and then click Yes.

Configure Resource Owner Password Credentials Flow in Cisco ISE

Before you begin

In the Cisco ISE GUI, click the Menu icon () and choose System > Certificates > Certificate Management > Trusted Certificates. Check if DigiCert Global Root G2 is displayed in the list trusted certificates.

If this certificate is not available in the Trusted Certificates store, import the public root certificate DigiCert Global Root G2 in PEM format into the Cisco ISE Trusted Certificates store.



Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > Identity Management > Settings > REST ID Store Settings.

Step 2

Click Enabled, and then click Submit.

The message "The service is starting. This may take a few minutes." is displayed on the window while the service is being enabled. The message "The service is enabled" is displayed on the window to indicate that the service is active.

Step 3

In the Cisco ISE GUI, click the Menu icon () and choose Administration > Identity Management > External Identity Sources > REST.

Step 4

Click Add.

Step 5

In the new window displayed, in the General tab, enter a value in the Name field.

Step 6

From the REST Identity Provider drop-down list, choose the identity source to be configured.

Step 7

Enter the required values for the fields Client ID, Client Secret, and Tenant ID, from the information saved when configuring Microsoft Entra ID in the preceding task.

Step 8

Click Test Connection to check if Cisco ISE is able to connect to the chosen identity source.

Step 9

Click Submit.

Step 10

To add a REST identity store group, choose the Groups tab and click Add.

Click Retrieve Groups to import the user groups from the connected identity source. Check the check boxes next to the groups that you want to select and click Save. You can also select all the groups, if needed. The selected groups are listed in the Groups tab.

You can filter the results using the filter option.

To delete a user group, check the check box next to the group that you want to delete and click Delete.

Step 11

(Optional) Enter a value in the Username Suffix field to authenticate the users of a Microsoft Entra ID tenant by their user names.

For example, if the Azure Active Directory User Private Name (UPN) of a user is, the suffix is the separator and the domain name is

Step 12

Click Submit.

EAP-TLS and TEAP Authentication with Microsoft Entra ID

Cisco ISE supports certificate-based authentication and Microsoft Entra ID authorization. The certificate-based authentications can be either EAP-TLS or TEAP with EAP-TLS as the inner method. Then, you can select attributes from Microsoft Entra ID and add them to the Cisco ISE dictionary. These attributes can be used for authorization.


Step 1

Configure a Microsoft Entra ID application for Cisco ISE by following the steps in the task Configure an Application for Resource Owner Password Credentials Flow in Microsoft Entra ID. Do not perform Step 15.

Step 2

Connect the Microsoft Entra ID application to Cisco ISE by following the steps in the task Configure Resource Owner Password Credentials Flow in Cisco ISE.

Step 3

To choose the attributes that you want to add to the Cisco ISE dictionary for the Microsoft Entra ID integration, in the User Attributes tab (Administration > Identity Management > External Identity Sources > REST). From the list of REST identity source integrations, click the integration for which you want to choose attributes.

Step 4

In the User attributes tab, click Add. Check the check boxes next to the attributes that you want to add to the Cisco ISE dictionary. You can then use the attributes from the dictionary in policy set creations.

Support for Active Directory Multidomain Forests

Cisco ISE supports Active Directory with multidomain forests. Within each forest, Cisco ISE connects to a single domain, but can access resources from the other domains in the Active Directory forest if trust relationships are established between the domain to which Cisco ISE is connected and the other domains.

Refer to Release Notes for Cisco Identity Services Engine for a list of Windows Server Operating Systems that support Active Directory services.


Cisco ISE does not support Microsoft Active Directory servers that reside behind a network address translator and have a Network Address Translation (NAT) address.

Prerequisites for Integrating Active Directory and Cisco ISE

This section describes the manual steps required to configure Active Directory for integration with Cisco ISE. However, in most cases, you can enable Cisco ISE to automatically configure Active Directory. The following are the prerequisites to integrate Active Directory with Cisco ISE.

  • Ensure you have Active Directory Domain Admin credentials, required to make changes to any of the AD domain configurations.

  • Ensure you have the privileges of a Super Admin or System Admin in Cisco ISE.

  • Use the Network Time Protocol (NTP) server settings to synchronize the time between the Cisco ISE server and Active Directory. You can configure NTP settings from Cisco ISE CLI.

  • Cisco ISE can connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. If you want to query other domains from a specific join point, ensure that trust relationships exist between the join point and the other domains that have user and machine information to which you need access. If trust relationships does not exist, you must create another join point to the untrusted domain. For more information on establishing trust relationships, refer to Microsoft Active Directory documentation.

  • You must have at least one global catalog server operational and accessible by Cisco ISE, in the domain to which you are joining Cisco ISE.

Active Directory Account Permissions Required to Perform Various Operations

Join Operations Leave Operations Cisco ISE Machine Accounts

The join operation requires the following account permissions:

  • Search Active Directory (to see if a Cisco ISE machine account exists)

  • Create Cisco ISE machine account to domain (if the machine account does not already exist)

  • Set attributes on the new machine account (for example, Cisco ISE machine account password, SPN, dnsHostname)

The leave operation requires the following account permissions:

  • Search Active Directory (to see if a Cisco ISE machine account exists)

  • Remove the Cisco ISE machine account from the domain

If you perform a force leave (leave without the password), it will not remove the machine account from the domain.

The ISE machine account that communicates to the Active Directory connection requires the following permissions:

  • Change password

  • Read the user and machine objects corresponding to users and machines that are authenticated

  • Query Active Directory to get information (for example, trusted domains, alternative UPN suffixes, and so on)

  • Read the tokenGroups attribute

You can precreate the machine account in Active Directory. If the SAM name matches the Cisco ISE appliance hostname, it is located during the join operation and re-used.

If there are multiple join operations, multiple machine accounts are maintained inside Cisco ISE, one for each join.


The credentials that are used for the join or leave operation are not stored in Cisco ISE. Only the newly created Cisco ISE machine account credentials are stored.

The Network access: Restrict clients allowed to make remote calls to SAM security policy in Microsoft Active Directory has been revised. Hence, Cisco ISE might not able to update its machine account password every 15 days. If the machine account password is not updated, Cisco ISE will no longer authenticate users through Microsoft Active Directory. You will receive the AD: ISE password update failed alarm on your Cisco ISE dashboard to notify you of this event.


This issue happens in Windows Server 2016 Active Directory or later and Windows 10 version 1607 due to the restriction in them. To overcome this restriction, when you are integrating Windows Server 2016 Active Directory or later or Windows 10 version 1607 with Cisco ISE, you much set the registry value in the following registry from non-zero to blank to give access to all: Registry:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictremotesam This allows Cisco ISE to update its machine account password.

The security policy allows users to enumerate users and groups in the local Security Accounts Manager (SAM) database and in Microsoft Active Directory. To ensure Cisco ISE can update its machine account password, check that your configurations in Microsoft Active Directory are accurate. For more information on the Windows operating systems and Windows Server versions affected, what this means for your network, and what changes may be needed, see:

Network Ports that Must Be Open for Communication


Port (remote-local)





Random number greater than or equal to 49152

DNS Servers/AD Domain Controllers




Domain Controllers


Kerberos (TCP/UDP)


Domain Controllers

Yes (Kerberos)




Domain Controllers




Global Catalog Servers




NTP Servers/Domain Controllers




Other ISE Nodes in the Deployment

Yes (Using RBAC credentials)

DNS Server

While configuring your DNS server, make sure that you take care of the following:

  • The DNS servers that you configure in Cisco ISE must be able to resolve all forward and reverse DNS queries for the domains that you want to use.

  • The Authoritative DNS server is recommended to resolve Active Directory records, as DNS recursion can cause delays and have significant negative impact on performance.

  • All DNS servers must be able to answer SRV queries for DCs, GCs, and KDCs with or without additional Site information.

  • Cisco recommends that you add the server IP addresses to SRV responses to improve performance.

  • Avoid using DNS servers that query the public Internet. They can leak information about your network when an unknown name has to be resolved.

Configure Active Directory as an External Identity Source

Configure Active Directory as an external identity source as part of the configuration for features such as Easy Connect and the PassiveID Work Center. For more information about these features, see Easy Connect and PassiveID Work Center.

Before you configure Active Directory as an External Identity Source, make sure that:

  • The Microsoft Active Directory server does not reside behind a network address translator and does not have a Network Address Translation (NAT) address.

  • The Microsoft Active Directory account intended for the join operation is valid and is not configured with the Change Password on Next Login.

  • You have the privileges of a Super Admin or System Admin in ISE.


If you see operational issues when Cisco ISE is connected to Active Directory, see the AD Connector Operations Report under Operations > Reports.

You must perform the following tasks to configure Active Directory as an external identity source.

  1. Add an Active Directory Join Point and Join Cisco ISE Node to the Join Point

  2. Configure Authentication Domains

  3. Configure Active Directory User Groups

  4. Configure Active Directory User and Machine Attributes

  5. (Optional) Modify Password Changes, Machine Authentications, and Machine Access Restriction Settings

Add an Active Directory Join Point and Join Cisco ISE Node to the Join Point

Before you begin

Ensure that the Cisco ISE node can communicate with the networks where the NTP servers, DNS servers, domain controllers, and global catalog servers are located. You can check these parameters by running the Domain Diagnostic tool.

Join points must be created in order to work with Active Directory as well as with the Agent, Syslog, SPAN and Endpoint probes of the Passive ID Work Center.

If you want to use IPv6 when integrating with Active Directory, then you must ensure that you have configured an IPv6 address for the relevant ISE nodes.

If you use the Google Chrome browser and have ad blocking software enabled, you must disable the ad blocker. This task contains Cisco ISE GUI elements that are affected by ad blockers. Alternatively, you can carry out this task in a Google Chrome Incognito browser.


Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > Identity Management > External Identity Sources > Active Directory.

Step 2

Click Add and enter the domain name and identity store name from the Active Directory Join Point Name settings.

Step 3

Click Submit.

A pop-up appears asking if you want to join the newly created join point to the domain. Click Yes if you want to join immediately.

If you clicked No, then saving the configuration saves the Active Directory domain configuration globally (in the primary and secondary policy service nodes), but none of the Cisco ISE nodes are joined to the domain yet.

Step 4

Check the check box next to the new Active Directory join point that you created and click Edit, or click on the new Active Directory join point from the navigation pane on the left. The deployment join/leave table is displayed with all the Cisco ISE nodes, the node roles, and their status.

Step 5

In case the join point was not joined to the domain during Step 3, check the check box next to the relevant Cisco ISE nodes and click Join to join the Cisco ISE node to the Active Directory domain.

You must do this explicitly even though you saved the configuration. To join multiple Cisco ISE nodes to a domain in a single operation, the username and password of the account to be used must be the same for all join operations. If different username and passwords are required to join each Cisco ISE node, the join operation should be performed individually for each Cisco ISE node.

Step 6

Enter the Active Directory username and password in the Join Domain dialog box.

It is strongly recommended that you choose Store credentials, in which case your administrator's user name and password will be saved in order to be used for all Domain Controllers (DC) that are configured for monitoring.

The user used for the join operation should exist in the domain itself. If it exists in a different domain or subdomain, the username should be noted in a UPN notation, such as

Step 7

(Optional) Check the Specify Organizational Unit check box.

You should check this check box in case the Cisco ISE node machine account is to be located in a specific Organizational Unit other than CN=Computers,DC=someDomain,DC=someTLD. Cisco ISE creates the machine account under the specified organizational unit or moves it to this location if the machine account already exists. If the organizational unit is not specified, Cisco ISE uses the default location. The value should be specified in full distinguished name (DN) format. The syntax must conform to the Microsoft guidelines. Special reserved characters, such as /'+,;=<> line feed, space, and carriage return must be escaped by a backslash (\). For example, OU=Cisco ISE\,US,OU=IT Servers,OU=Servers\, and Workstations,DC=someDomain,DC=someTLD. If the machine account is already created, you need not check this check box. You can also change the location of the machine account after you join to the Active Directory domain.

Step 8

Click OK.

You can select more than one node to join to the Active Directory domain.

If the join operation is not successful, a failure message appears. Click the failure message for each node to view detailed logs for that node.

Note the following points while configuring the join points:

  • When using multiple join points, if alternate UPN suffix is configured only for a single join point or domain, identity lookup is performed only in that join point or domain. Authentication might fail in such cases. As a workaround, you can configure the alternate UPN suffix for all the joint points or domains.

  • You can only add up to 200 Domain Controllers on ISE. On exceeding the limit, you will receive the error "Error creating <DC FQDN> - Number of DCs Exceeds allowed maximum of 200". For more information on the tested scale limit of domain controllers for deployment, see Performance and Scalability Guide for Cisco Identity Services Engine.

  • When the join is complete, Cisco ISE updates its AD groups and corresponding security identifiers (SIDs). Cisco ISE automatically starts the SID update process. You must ensure that this process is allowed to complete.

  • You might not be able to join Cisco ISE with an Active Directory domain if the DNS service (SRV) records are missing (the domain controllers do not advertise their SRV records for the domain that you are trying to join to).

  • The AD machine account name that is created will not match the Cisco ISE hostname if the hostname contains more than 15 characters. In this case, the machine account name will be created in the following format:

    first_8_characters_of(hostname) + "-" + 6 random characters + "$"

    For the machine account name and the hostname to match, the hostname must have 15 characters or less.

  • Even if the AD credentials used to join Cisco ISE and AD are no longer valid, the join point between Cisco ISE and AD remains unchanged.

Assign Dedicated Resources for Join Points

From Cisco ISE Release 3.3 Patch 4 and later, you can reserve resources for the join points in each PSN. This resource segmentation will help reduce the performance impact caused by resource sharing among the join points. This also reduces the authentication performance issues in a complex active directory environment with multiple domains and join points across PSNs. The reservation is per PSN and you can reserve upto ten join points per PSN. Nodes operate independently and do not affect each other. Additionally, reserved join points remain unaffected when they are in a reserved state.


Performance impact might be seen in these scenarios:

  • If the join point trust relationship is slow.

  • If the Identity Sequence includes slow join points.

Follow these steps to reserve dedicated resources for the join points:


Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > Identity Management > External Identity Sources.

Step 2

Click Active Directory

Step 3

From the Advanced Tools drop-down list, choose Join Point Prioritization.

Step 4

From the Actions drop-down list, choose Edit.

The Selected Join Points page is displayed with all the join points.

Step 5

From the Available Join Points pane, choose the join points that you want to assign to the PSN.

Step 6

Click Apply and then Save.

Add Domain Controllers


Step 1

Choose Work Centers > PassiveID > Providers and then from the left panel choose Active Directory.

Step 2

Check the check box next to the Active Directory join point that you created and click Edit. The deployment join/leave table is displayed with all the Cisco ISE nodes, the node roles, and their statuses.

Step 3

Go to the PassiveID tab and click Add DCs.



To add a new Domain Controller (DC) for Passive Identity services, you need the login credentials of that DC.

Step 4

Check the check box next to the domain controllers that you would like to add to the join point for monitoring and click OK.

The domain controllers appear in the Domain Controllers list of the PassiveID tab.

Step 5

Configure the domain controller:

  1. Checkmark the domain controller and click Edit. The Edit Item screen appears.

  2. Optionally, edit the different domain controller fields.

The DC failover mechanism is managed based on the DC priority list, which determines the order in which the DCs are selected in case of failover. If a DC is offline or not reachable due to some error, its priority is decreased in the priority list. When the DC comes back online, its priority is adjusted accordingly (increased) in the priority list.

MSRPC Protocol for Passive ID

From Cisco ISE Release 3.0 onwards, you can use MS-Eventing API or Microsoft Remote Procedure Call (MSRPC) protocol for Passive Identity. MSRPC protocol is used to establish node communication and monitor heartbeats between nodes in Cisco ISE.

MSRPC protocol promotes a reliable mechanism when Cisco ISE or Cisco ISE-PIC collects or monitors the events from several domain controllers. It also reduces latency on the domain controller user logon events.

For Cisco ISE 3.0 and later, MSRPC is the default protocol. We recommend that you enable the primary and secondary agent for high availability functionalities of the MSPRC, so that if there is a failure in the primary agent installed server, the secondary agent becomes active and monitors the domain controller.

You can also choose to use the standalone option for MSPRC while creating an agent. However, the standalone agent will not be backed up by a secondary agent, in case of agent failure and the domain controller events cannot be monitored.

While upgrading from Cisco ISE 2.x to 3.0 version, if the member server is updated with existing agents, the agent version is displayed as in the Version column in the Agents window. To view this window, click the Menu icon () and choose Work Centers > Passive ID > Providers > Agents .

When the agent is installed on the domain controller directly, ensure that the monitoring user is a member of the Event Log Readers group.

When the agent is installed on the AD domain member server, you must do the following:

  • Ensure that the monitoring user is a member of the Event Log Readers group.

  • If you have configured high availability, open UDP port 9095 in the firewall between the server pair.

  • Ensure that the DNS servers configured in Cisco ISE are able to resolve the forward (A) and reverse (PTR) records of the Windows member servers. You must add the required details, if missing.

Irrespective of whether the agent is installed directly on the server or a member server, enable the following firewall rules for Remote Event Log Management group on the domain controller, to allow the server to access the event logs of the domain controller.

  • Remote Event Log Management (NP-in)

  • Remote Event Log Management (RPC)

  • Remote Event Log Management (RPC-EPMAP)

If this is done after the agent is installed, you must restart the agent service on the server.

Deploy Agents for MSRPC
Before you begin

You must enable the Passive Identity Service. To do this:

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Deployment and check the check box adjacent to the deployment node. Click Edit. In the Edit Node window, check the Enable Passive Identity Service check box and click Save.

In the Cisco ISE-PIC GUI, choose Administration > System > Deployment and check the check box adjacent to the deployment node. Click Edit. In the Edit Node window, check the Enable Passive Identity Service check box and click Save.


Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Work Centers > Passive ID > Providers > Agents.

Step 2

Click Add.

Step 3

In the Agents window, click Deploy New Agent, if you want to deploy new agents or click Register Existing Agents, if you want to register an existing agent.

If you choose the Register Existing Agent option, a request from a supported registered client may be dropped due to the unsupported protocol. In such events, you need to configure the Cisco ISE client with a supported protocol.

Step 4

Enter the agent name in the Name field.

Step 5

Enter the Host FQDN URL in the Host FQDN field.

Step 6

Enter the User Name and Password.

The user account must have the permission to connect remotely to install the PIC agent.

Step 7

Choose MSRPC from the Protocol dropdown list.

Step 8

Click Primary in the High Availability Settings section.

After the primary agent is successfully deployed, the above steps should be repeated to deploy the secondary agents by selecting the Secondary option in the High Availability Settings section. While deploying the secondary agent, select the configured primary agent from the Primary Agent drop-down list.

Step 9

Click Deploy.

Map Domain Controller with Primary Agent

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Work Centers > PassiveID > Providers > Active Directory.

Step 2

In the Active Directory window, click Add.

Step 3

In the Connection section, enter the Join Point Name and Active Directory Domain for the domain controller.

Step 4

Click Submit.

The following message is displayed:

Would you like to Join all ISE Nodes to this Active Directory Domain?

Step 5

Click Yes to join all the ISE nodes.

Step 6

In the Join Domain pop-up window, enter the AD User name and Password.

Step 7

Click Ok.

Step 8

Click the PassiveID tab.

Step 9

In the PassiveID Domain Controllers window, click the check box adjacent to the ISE domain you want to map.

For multiple DC mapping, you can choose the existing agent from the Use Existing Agent option.

Step 10

Click Edit

Step 11

Enter the Host FQDN URL in the Host FQDN field.

Step 12

Enter the AD credentials in the AD User Name and Password fields. The user account must have the permission to read the security events on the domain controller.

Step 13

Choose Agent from the Protocol drop-down list.

Step 14

Select the corresponding agent (Primary for high availability or Standalone) from the Agent drop-down list.

Step 15

Click Save.

You can review the agent mapping status, the agent monitoring the domain controller and the agent role in the Dashboard. To view this window, click the Menu icon () and choose Work Centers > PassiveID > Overview.

In the Cisco ISE GUI, click the Menu icon () and choose Operations > RADIUS > Live Sessions to view the domain controller event logs.

Leave the Active Directory Domain

If you no longer need to authenticate users or machines from this Active Directory domain or from this join point, you can leave the Active Directory domain.

When you reset the Cisco ISE application configuration from the command-line interface or restore configuration after a backup or upgrade, it performs a leave operation, disconnecting the Cisco ISE node from the Active Directory domain, if it is already joined. However, the Cisco ISE node account is not removed from the Active Directory domain. We recommend that you perform a leave operation from the Admin portal with the Active Directory credentials because it also removes the node account from the Active Directory domain. This is also recommended when you change the Cisco ISE hostname.

Before you begin

If you leave the Active Directory domain, but still use Active Directory as an identity source for authentication (either directly or as part of an identity source sequence), authentications may fail.


Step 1

Choose Administration > Identity Management > External Identity Sources > Active Directory.

Step 2

Check the checkbox next to the Active Directory join point that you created and click Edit. The deployment join/leave table is displayed with all the Cisco ISE nodes, the node roles, and their statuses.

Step 3

Check the checkbox next to the Cisco ISE node and click Leave.

Step 4

Enter the Active Directory username and password, and click OK to leave the domain and remove the machine account from the Cisco ISE database.

If you enter the Active Directory credentials, the Cisco ISE node leaves the Active Directory domain and deletes the Cisco ISE machine account from the Active Directory database.



To delete the Cisco ISE machine account from the Active Directory database, the Active Directory credentials that you provide here must have the permission to remove machine account from domain.

Step 5

If you do not have the Active Directory credentials, check the No Credentials Available checkbox, and click OK.

If you check the Leave domain without credentials checkbox, the primary Cisco ISE node leaves the Active Directory domain. The Active Directory administrator must manually remove the machine account that was created in Active Directory during the time of the join.

Configure Authentication Domains

The domain to which Cisco ISE is joined to has visibility to other domains with which it has a trust relationship. By default, Cisco ISE is set to permit authentication against all those trusted domains. You can restrict interaction with the Active Directory deployment to a subset of authentication domains. Configuring authentication domains enables you to select specific domains for each join point so that the authentications are performed against the selected domains only. Authentication domains improves security because they instruct Cisco ISE to authenticate users only from selected domains and not from all domains trusted from join point. Authentication domains also improve performance and latency of authentication request processing because authentication domains limit the search area (that is, where accounts matching to incoming username or identity will be searched). It is especially important when incoming username or identity does not contain domain markup (prefix or suffix). Due to these reasons, configuring authentication domains is a best practice, and we highly recommended it.


Step 1

Choose Administration > Identity Management > External Identity Sources > Active Directory.

Step 2

Click Active Directory join point.

Step 3

Click the Authentication Domains tab.

A table appears with a list of your trusted domains. By default, Cisco ISE permits authentication against all trusted domains.

Step 4

To allow only specified domains, uncheck Use all Active Directory domains for authentication check box.

Step 5

Check the check box next to the domains for which you want to allow authentication, and click Enable Selected. In the Authenticate column, the status of this domain changes to Yes.

You can also disable selected domains.

Step 6

Click Show Unusable Domains to view a list of domains that cannot be used. Unusable domains are domains that Cisco ISE cannot use for authentication due to reasons such as one-way trust, selective authentication and so on.

What to do next

Configure Active Directory user groups.

Configure Active Directory User Groups

You must configure Active Directory user groups for them to be available for use in authorization policies. Internally, Cisco ISE uses security identifiers (SIDs) to help resolve group name ambiguity issues and to enhance group mappings. SID provides accurate group assignment matching.


Step 1

Choose Administration > Identity Management > External Identity Sources > Active Directory.

Step 2

Click the Groups tab.

Step 3

Do one of the following:

  1. Choose Add > Select Groups From Directory to choose an existing group.

  2. Choose Add > Add Group to manually add a group. You can either provide both group name and SID or provide only the group name and press Fetch SID.

Do not use double quotes (”) in the group name for the user interface login.

Step 4

If you are manually selecting a group, you can search for them using a filter. For example, enter admin* as the filter criteria and click Retrieve Groups to view user groups that begin with admin. You can also enter the asterisk (*) wildcard character to filter the results. You can retrieve only 500 groups at a time.

Step 5

Check the check boxes next to the groups that you want to be available for use in authorization policies and click OK.

Step 6

If you choose to manually add a group, enter a name and SID for the new group.

Step 7

Click OK.

Step 8

Click Save.



If you delete a group and create a new group with the same name as original, you must click Update SID Values to assign new SID to the newly created group. After an upgrade, the SIDs are automatically updated after the first join.

What to do next

Configure Active Directory user attributes.

Configure Active Directory User and Machine Attributes

You must configure Active Directory user and machine attributes to be able to use them in conditions in authorization policies.


Step 1

Choose Administration > Identity Management > External Identity Sources > Active Directory.

Step 2

Click the Attributes tab.

Step 3

Choose Add > Add Attribute to manually add a attribute, or choose Add > Select Attributes From Directory to choose a list of attributes from the directory.

Cisco ISE allows you to configure the AD with IPv4 or IPv6 address for user authentication when you manually add the attribute type IP.

Step 4

If you choose to add attributes from the directory, enter the name of a user in the Sample User or Machine Account field, and click Retrieve Attributes to obtain a list of attributes for users. For example, enter administrator to obtain a list of administrator attributes. You can also enter the asterisk (*) wildcard character to filter the results.



When you enter an example username, ensure that you choose a user from the Active Directory domain to which the Cisco ISE is connected.
 When you choose an example machine to obtain machine attributes, be sure to prefix the machine name with “host/” or use the SAM$ format. For example, you might use host/myhost. The example value displayed when you retrieve attributes are provided for illustration only and are not stored.

Step 5

Check the check boxes next to the attributes from Active Directory that you want to select, and click OK.

Step 6

If you choose to manually add an attribute, enter a name for the new attribute.

Step 7

Click Save.

Modify Password Changes, Machine Authentications, and Machine Access Restriction Settings

Before you begin

You must join Cisco ISE to the Active Directory domain. For more information, see Add an Active Directory Join Point and Join Cisco ISE Node to the Join Point.


Step 1

Choose Administration > Identity Management > External Identity Sources > Active Directory.

Step 2

Check the check box next to the relevant Cisco ISE node and click Edit .

Step 3

Click the Advanced Settings tab.

Step 4

Modify as required, the Password Change, Machine Authentication, and Machine Access Restrictions (MARs) settings.

Step 5

Check the Enable dial-in check check box to check the dial-in permissions of the user during authentication or query. The result of the check can cause a reject of the authentication in case the dial-in permission is denied.

Step 6

Check the Enable callback check for dial-in clients check box if you want the server to call back the user during authentication or query. The IP address or phone number used by the server can be set either by the caller or the network administrator. The result of the check is returned to the device on the RADIUS response.

Step 7

Check the Use Kerberos for Plain Text Authentications check box if you want to use Kerberos for plain-text authentications. The default and recommended option is MS-RPC.

Configure Maximum Password Attempts for Active Directory Account

A Cisco ISE admin needs a mechanism to prevent Active Directory account lockout because of too many bad password attempts. You can configure the Bad Password Count attribute to prevent a lockout. Before sending the authentication to Active Directory, Cisco ISE should check if there are enough attempts left.

Before authenticating a user, Cisco ISE compares the maximum bad password attempts configured in Cisco ISE with the current value of the badPwdCount attribute on the Active Directory. When the maximum bad password attempts configured in Cisco ISE is equal to the value of the badPwdCount attribute, the authentication is dropped and not sent to the Active Directory.


Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > Identity Management > External Identity Sources > Active Directory.

Step 2

Check the check box next to the relevant Cisco ISE node and click Edit .

Step 3

Click the Advanced Settings tab.

Step 4

In the Prevent Active Directory User Lockout section, check the Enable Failed Authentication Protection check box.

Step 5

Enter the number of maximum bad password attempts.



The maximum password attempts here should be less than the maximum bad password attempts configured as the value of the badPwdCount attribute in the Active Directory.

Step 6

Check the Wired and Wireless check boxes as per the connection requests, for authentication.



The connection type (Wired or Wireless) is derived from the RADIUS NAS-port-type attribute. The NAD must include the correct value for this Radius attribute in the Access-request message for this feature to function.

Step 7

Click Save.

Step 8

In the Cisco ISE GUI, click the Menu icon () and choose Policy > Policy Sets > Default > Authentication Policy.

Step 9

For the required Rule Name, Use the Active Directory configured as the Identity Source.



Identity Sequence Scope or Active Directory Scope will not work. Make sure you use the specific Active Directory join point.

Step 10

Click Save.

Step 11

The same can be configured for Guest Portals as well.

Step 12

In the Cisco ISE GUI, click the Menu icon () and choose Work Centers > Guest Access > Identities > Identity Source Sequences > Add.

Step 13

Enter the Name of the Identity Source Sequence.

Step 14

In the Authentication Search List section, use the > button to move the identity sources from the Available pane to the Selected pane.



Identity Sequence Scope or Active Directory Scope will not work. Make sure that you use the specific Active Directory join point. It uses only the first Active Directory join point that has this capability enabled. If this capability is enabled on more than one join point, only the first join point in the list is checked.

Step 15

Click Submit.


Issue 1: User is locked in Active Directory.

Solution: Ask the network administrator to reset the badPwdCount attribute for that user on the Active Directory.

Issue 2: User fails authentication in Active Directory while lockout prevention is enabled for that Active Directory.

Solution: Check or perform the following:

  • Ensure that the User account exists in the Active Directory.

  • The badPwdCount attribute value for the user account in the Active Directory must be less than the maximum bad password attempts configured in Cisco ISE.

  • Authenticate using the unselected connection type. If lockout prevention is set to Wireless, try to authenticate using Wired connection and vice versa. Successful authentication resets the badPwdCount attribute in the Active Directory .

  • Ask the network administrator to reset the badPwdCount attribute for the user in the Active Directory.

Issue 3: User gets locked out even when the lockout prevention for Active Directory is enabled.

Solution: Ensure that the maximum bad password attempts configured in Cisco ISE is less than the value of the badPwdCount attribute set in the Active Directory.

Issue 4: User fails authentication in Active Directory in a portal flow while lockout prevention is enabled for that Active Directory.

Solution: Check or perform the following:

  • Make sure that the relevant Active Directory instance is part of the identity store (not sequence) used for that portal flow.

  • Ensure that the user account exists in the Active Directory.

  • The badPwdCount attribute value for the user account in the Active Directory must be less than the maximum bad password attempts configured in Cisco ISE.

  • Try authenticating using the unselected connection type. If lockout prevention is set to Wireless, try to authenticate using Wired connection and vice versa. Successful authentication resets the badPwdCount attribute in the Active Directory.

  • Ask the network administrator to reset the badPwdCount attribute for the user in the Active Directory.

Machine Access Restriction Cache

Cisco ISE stores the Machine Access Restriction (MAR) cache content, calling-station-ID list, and the corresponding time stamps to a file on its local disk when you manually stop the the application services. Cisco ISE does not store the MAR cache entries of an instance when there is an accidental restart of the application services. Cisco ISE reads the MAR cache entries from the file on its local disk based on the cache entry time to live when the application services restart. When the application services come up after a restart, Cisco ISE compares the current time of that instance with the MAR cache entry time. If the difference between the current time and the MAR entry time is greater than the MAR cache entry time to live, then Cisco ISE does not retrieve that entry from disk. Otherwise, Cisco ISE retrieves that MAR cache entry and updates its MAR cache entry time to live.

To Configure MAR Cache

On Advanced Settings tab of the Active Directory defined in External Identity Sources, verify that the following options are checked:

  • Enable Machine Authentication: To enable machine authentication.

  • Enable Machine Access Restriction: To combine user and machine authentication before authorization.

To Use MAR Cache in Authorization

Use WasMachineAuthenticated is True in an authorization policy. You can use this rule plus a credentials rule to do dual-authentication. Machine authentication must be done before AD credentials.

If you created a Node Group on the System > Deployment page, enable MAR Cache Distribution. MAR cache distribution replicates the MAR cache to all the PSNs in the same node group.

For more information, see the following Cisco ISE Community pages:

Configure Custom Schema

Before you begin

You must join Cisco ISE to the Active Directory domain.


Step 1

Choose Administration > Identity Management > External Identity Sources > Active Directory.

Step 2

Select the Join point.

Step 3

Click the Advanced Settings tab.

Step 4

Under the Schema section, select the Custom option from the Schema drop-down list. You can update the user information attributes based on your requirements. These attributes are used to collect user information, such as, first name, last name, email, telephone, locality, and so on.

Predefined attributes are used for the Active Directory schema (built-in schema). If you edit the attributes of the predefined schema, Cisco ISE automatically creates a custom schema.

Support for Active Directory Multijoin Configuration

Cisco ISE supports multiple joins to Active Directory domains. Cisco ISE supports up to 50 Active Directory joins. Cisco ISE can connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. Active Directory multi-domain join comprises a set of distinct Active Directory domains with their own groups, attributes, and authorization policies for each join.

You can join the same forest more than once, that is, you can join more than one domain in the same forest, if necessary.

Cisco ISE now allows to join domains with one-way trust. This option helps bypass the permission issues caused by a one-way trust. You can join either of the trusted domains and hence be able to see both domains.

  • Join Point: In Cisco ISE, each independent join to an Active Directory domain is called a join point. The Active Directory join point is an Cisco ISE identity store and can be used in authentication policy. It has an associated dictionary for attributes and groups, which can be used in authorization conditions.

  • Scope: A subset of Active Directory join points grouped together is called a scope. You can use scopes in authentication policy in place of a single join point and as authentication results. Scopes are used to authenticate users against multiple join points. Instead of having multiple rules for each join point, if you use a scope, you can create the same policy with a single rule and save the time that Cisco ISE takes to process a request and help improve performance. A join point can be present in multiple scopes. A scope can be included in an identity source sequence. You cannot use scopes in an authorization policy condition because scopes do not have any associated dictionaries.

    When you perform a fresh Cisco ISE install, by default no scopes exist. This is called the no scope mode. When you add a scope, Cisco ISE enters multi-scope mode. If you want, you can return to no scope mode. All the join points will be moved to the Active Directory folder.
    • Initial_Scope is an implicit scope that is used to store the Active Directory join points that were added in no scope mode. When multi-scope mode is enabled, all the Active Directory join points move into the automatically created Initial_Scope. You can rename the Initial_Scope.

    • All_AD_Instances is a built-in pseudo scope that is not shown in the Active Directory configuration. It is only visible as an authentication result in policy and identity sequences. You can select this scope if you want to select all Active Directory join points configured in Cisco ISE.

Create a New Scope to Add Active Directory Join Points


Step 1

Choose Administration > Identity Management > External Identity Sources > Active Directory.

Step 2

Click Scope Mode.

A default scope called Initial_Scope is created, and all the current join points are placed under this scope.

Step 3

To create more scopes, click Add.

Step 4

Enter a name and a description for the new scope.

Step 5

Click Submit.

Identity Rewrite

Identity rewrite is an advanced feature that directs Cisco ISE to manipulate the identity before it is passed to the external Active Directory system. You can create rules to change the identity to a desired format that includes or excludes a domain prefix and/or suffix or other additional markup of your choice.

Identity rewrite rules are applied on the username or hostname received from the client, before being passed to Active Directory, for operations such as subject searches, authentication, and authorization queries. Cisco ISE will match the condition tokens and when the first one matches, Cisco ISE stops processing the policy and rewrites the identity string according to the result.

During the rewrite, everything enclosed in square bracket [ ] (such as [IDENTITY]) is a variable that is not evaluated on the evaluation side but instead added with the string that matches that location in the string. Everything without the brackets is evaluated as a fixed string on both the evaluation side and the rewrite side of the rule.

The following are some examples of identity rewrite, considering that the identity entered by the user is ACME\jdoe:

  • If identity matches ACME\[IDENTITY], rewrite as [IDENTITY].

    The result would be jdoe. This rule instructs Cisco ISE to strip all usernames with the ACME prefix.

  • If the identity matches ACME\[IDENTITY], rewrite as [IDENTITY]

    The result would be This rule instructs Cisco ISE to change the format from prefix for suffix notation or from NetBIOS format to UPN formats.

  • If the identity matches ACME\[IDENTITY], rewrite as ACME2\[IDENTITY].

    The result would be ACME2\jdoe. This rule instructs Cisco ISE to change all usernames with a certain prefix to an alternate prefix.

  • If the identity matches [ACME]\jdoe.USA, rewrite as [IDENTITY]@[ACME].com.

    The result would be jdoe\ This rule instructs Cisco ISE to strip the realm after the dot, in this case the country and replace it with the correct domain.

  • If the identity matches E=[IDENTITY], rewrite as [IDENTITY].

    The result would be jdoe. This is an example rule that can be created when an identity is from a certificate, the field is an email address, and Active Directory is configured to search by Subject. This rule instructs Cisco ISE to remove ‘E=’.

  • If the identity matches E=[EMAIL],[DN], rewrite as [DN].

    This rule will convert certificate subject from, CN=jdoe, DC=acme, DC=com to pure DN, CN=jdoe, DC=acme, DC=com. This is an example rule that can be created when identity is taken from a certificate subject and Active Directory is configured to search user by DN . This rule instructs Cisco ISE to strip email prefix and generate DN.

The following are some common mistakes while writing the identity rewrite rules:

  • If the identity matches [DOMAIN]\[IDENTITY], rewrite as [IDENTITY]

    The result would be This rule does not have [DOMAIN] in square brackets [ ] on the rewrite side of the rule.

  • If the identity matches DOMAIN\[IDENTITY], rewrite as [IDENTITY]@[DOMAIN].com.

    Here again, the result would be This rule does not have [DOMAIN] in square brackets [ ] on the evaluation side of the rule.

Identity rewrite rules are always applied within the context of an Active Directory join point. Even if a scope is selected as the result of an authentication policy, the rewrite rules are applied for each Active Directory join point. These rewrite rules also applies for identities taken from certificates if EAP-TLS is being used.

Enable Identity Rewrite


This configuration task is optional. You can perform it to reduce authentication failures that can arise because of various reasons such as ambiguous identity errors.
Before you begin

You must join Cisco ISE to the Active Directory domain.


Step 1

Choose Administration > Identity Management > External Identity Sources > Active Directory.

Step 2

Click the Advanced Settings tab.

Step 3

Under the Identity Rewrite section, choose whether you want to apply the rewrite rules to modify usernames.

Step 4

Enter the match conditions and the rewrite results. You can remove the default rule that appears and enter the rule according to your requirement. Cisco ISE processes the policy in order, and the first condition that matches the request username is applied. You can use the matching tokens (text contained in square brackets) to transfer elements of the original username to the result. If none of the rules match, the identity name remains unchanged. You can click the Launch Test button to preview the rewrite processing.

Identity Resolution Settings

Some type of identities include a domain markup, such as a prefix or a suffix. For example, in a NetBIOS identity such as ACME\jdoe, “ACME” is the domain markup prefix, similarly in a UPN identity such as, “” is the domain markup suffix. Domain prefix should match to the NetBIOS (NTLM) name of the Active Directory domain in your organization and domain suffix should match to the DNS name of Active Directory domain or to the alternative UPN suffix in your organization. For example is treated as without domain markup because is not a DNS name of Active Directory domain.

The identity resolution settings allows you to configure important settings to tune the security and performance balance to match your Active Directory deployment. You can use these settings to tune authentications for usernames and hostnames without domain markup. In cases when Cisco ISE is not aware of the user's domain, it can be configured to search the user in all the authentication domains. Even if the user is found in one domain, Cisco ISE will wait for all responses in order to ensure that there is no identity ambiguity. This might be a lengthy process, subject to the number of domains, latency in the network, load, and so on.

Avoid Identity Resolution Issues

It is highly recommended to use fully qualified names (that is, names with domain markup) for users and hosts during authentication. For example, UPNs and NetBIOS names for users and FQDN SPNs for hosts. This is especially important if you hit ambiguity errors frequently, such as, several Active Directory accounts match to the incoming username; for example, jdoe matches to and In some cases, using fully qualified names is the only way to resolve issue. In others, it may be sufficient to guarantee that the users have unique passwords. So, it is more efficient and leads to less password lockout issues if unique identities are used initially.

Configure Identity Resolution Settings


This configuration task is optional. You can perform it to reduce authentication failures that can arise because of various reasons such as ambiguous identity errors.
Before you begin

You must join the Cisco ISE node to the Active Directory domain.


Step 1

Choose Administration > Identity Management > External Identity Sources > Active Directory.

Step 2

Click the Advanced Settings tab.

Step 3

Define the following settings for identity resolution for usernames or machine names under the Identity Resolution section. This setting provides you advanced control for user search and authentication.

The first setting is for the identities without a markup. In such cases, you can select any of the following options:

  • Reject the request: This option will fail the authentication for users who do not have any domain markups, such as a SAM name. This is useful in case of multi join domains where Cisco ISE will have to look up for the identity in all the joined global catalogs, which might not be very secure. This option forces the users to use names with domain markups.
  • Only search in the “Authentication Domains” from the joined forest: This option will search for the identity only in the domains in the forest of the join point which are specified in the authentication domains section. This is the default option.
  • Search in all the “Authentication Domains” sections: This option will search for the identity in all authentication domains in all the trusted forests. This might increase latency and impact performance.

The selection is made based on how the authentication domains are configured in Cisco ISE. If only specific authentication domains are selected, only those domains will be searched (for both “joined forest” or “all forests” selections).

The second setting is used if Cisco ISE cannot communicate with all Global Catalogs (GCs) that it needs to in order to comply with the configuration specified in the “Authentication Domains” section. In such cases, you can select any of the following options:

  • Proceed with available domains: This option will proceed with the authentication if it finds a match in any of the available domains.
  • Drop the request: This option will drop the authentication request if the identity resolution encounters some unreachable or unavailable domain.

Test Users for Active Directory Authentication

The Test User tool can be used to verify user authentication from Active Directory. You can also fetch groups and attributes and examine them. You can run the test for a single join point or for scopes.


Step 1

Choose Administration > Identity Management > External Identity Sources > Active Directory.

Step 2

Choose one of the following options:

  • To run the test on all join points, choose Advanced Tools > Test User for All Join Points.
  • To run the test for a specific join point, select the joint point and click Edit. Select the Cisco ISE node and click Test User.

Step 3

Enter the username and password of the user (or host) in Active Directory.

Step 4

Choose the authentication type. Password entry in Step 3 is not required if you choose the Lookup option.

Step 5

Select the Cisco ISE node on which you want to run this test, if you are running this test for all join points.

Step 6

Check the Retrieve Groups and Attributes check boxes if you want to retrieve the groups and attributes from Active Directory.

Step 7

Click Test.

The result and steps of the test operation are displayed. The steps can help to identify the failure reason and troubleshoot.

You can also view the time taken (in milliseconds) for Active Directory to perform each processing step (for authentication, lookup, or fetching groups/attributes). Cisco ISE displays a warning message if the time taken for an operation exceeds the threshold.

Delete Active Directory Configurations

You should delete Active Directory configurations if you are not going to use Active Directory as an external identity source. Do not delete the configuration if you want to join another Active Directory domain. You can leave the domain to which you are currently joined and join a new domain.

Before you begin

Ensure that you have left the Active Directory domain.


Step 1

Choose Administration > Identity Management > External Identity Sources > Active Directory.

Step 2

Check the checkbox next to the configured Active Directory.

Step 3

Check and ensure that the Local Node status is listed as Not Joined.

Step 4

Click Delete.

You have removed the configuration from the Active Directory database. If you want to use Active Directory at a later point in time, you can resubmit a valid Active Directory configuration.

View Active Directory Joins for a Node

You can use the Node View button on the Active Directory page to view the status of all Active Directory join points for a given Cisco ISE node or a list of all join points on all Cisco ISE nodes.


Step 1

Choose Administration > Identity Management > External Identity Sources > Active Directory.

Step 2

Click Node View.

Step 3

Select a node from the ISE Node drop-down list.

The table lists the status of Active Directory by node. If there are multiple join points and multiple Cisco ISE nodes in a deployment, this table may take several minutes to update.

Step 4

Click the join point Name link to go to that Active Directory join point page and perform other specific actions.

Step 5

Click the link in the Diagnostic Summary column to go to the Diagnostic Tools page to troubleshoot specific issues. The diagnostic tool displays the latest diagnostics results for each join point per node.

Diagnose Active Directory Problems

The Diagnostic Tool is a service that runs on every Cisco ISE node. It allows you to automatically test and diagnose the Active Directory deployment and execute a set of tests to detect issues that may cause functionality or performance failures when Cisco ISE uses Active Directory.

There are multiple reasons for which Cisco ISE might be unable to join or authenticate against Active Directory. This tool helps ensure that the prerequisites for connecting Cisco ISE to Active Directory are configured correctly. It helps detect problems with networking, firewall configurations, clock sync, user authentication, and so on. This tool works as a step-by-step guide and helps you fix problems with every layer in the middle, if needed .


Step 1

Choose Administration > Identity Management > External Identity Sources > Active Directory.

Step 2

Click the Advanced Tools drop-down and choose Diagnostic Tools.

Step 3

Select a Cisco ISE node to run the diagnosis on.

If you do not select a Cisco ISE node then the test is run on all the nodes.

Step 4

Select a specific Active Directory join point.

If you do not select an Active Directory join point then the test is run on all the join points.

Step 5

You can run the diagnostic tests either on demand or on a scheduled basis.

  • To run tests immediately, choose Run Tests Now.

  • To run the tests at an scheduled interval, check the Run Scheduled Tests check box and specify the start time and the interval (in hours, days, or weeks) at which the tests must be run. When this option is enabled, all the diagnostic tests are run on all the nodes and instances and the failures are reported in the Alarms dashlet in the Home dashboard.

Step 6

Click View Test Details to view the details for tests with Warning or Failed status.

This table allows you to rerun specific tests, stop running tests, and view a report of specific tests.

Enable Active Directory Debug Logs

Active Directory debug logs are not logged by default. You must enable this option on the Cisco ISE node that has assumed the Policy Service persona in your deployment. Enabling Active Directory debug logs may affect ISE performance.


Step 1

Choose Administration > System > Logging > Debug Log Configuration.

Step 2

Click the radio button next to the Cisco ISE Policy Service node from which you want to obtain Active Directory debug information, and click Edit.

Step 3

Click the Active Directory radio button, and click Edit.

Step 4

Choose DEBUG from the drop-down list next to Active Directory. This will include errors, warnings, and verbose logs. To get full logs, choose TRACE.

Step 5

Click Save.

Obtain the Active Directory Log File for Troubleshooting

Download and view the Active Directory debug logs to troubleshoot issues you may have.

Before you begin

Active Directory debug logging must be enabled.


Step 1

Choose Operations > Troubleshoot > Download Logs.

Step 2

Click the node from which you want to obtain the Active Directory debug log file.

Step 3

Click the Debug Logs tab.

Step 4

Scroll down this page to locate the ad_agent.log file. Click this file to download it.

Active Directory Alarms and Reports


Cisco ISE provides various alarms and reports to monitor and troubleshoot Active Directory related activities.

The following alarms are triggered for Active Directory errors and issues:
  • Configured nameserver not available

  • Joined domain is unavailable

  • Authentication domain is unavailable

  • Active Directory forest is unavailable

  • AD Connector had to be restarted

  • AD: ISE account password update failed

  • AD: Machine TGT refresh failed


You can monitor Active Directory related activities through the following two reports:
  • RADIUS Authentications report: This report shows detailed steps of the Active Directory authentication and authorization. You can find this report here: Operations > Reports > Endpoints and Users > RADIUS Authentications.

  • AD Connector Operations report: The AD Connector Operations report provides a log of background operations performed by AD connector, such as Cisco ISE server password refresh, Kerberos ticket management, DNS queries, DC discovery, LDAP, and RPC connections management. If you encounter any Active Directory failures, you can review the details in this report to identify the possible causes. You can find this report here: Operations > Reports > Diagnostics > AD Connector Operations.

Active Directory Advanced Tuning

The advanced tuning feature provides node-specific settings used for support action under the supervision of Cisco support personnel, to adjust the parameters deeper in the system. These settings are not intended for normal administration flow, and should be used only under guidance.

Configure Preferred Domain Controllers

You can specify the domain controllers that you want to use in case of a domain failover. If a domain fails, Cisco ISE compares the priority scores of the domain controllers that are added to the preferred list and selects the one with the highest priority score. If that domain controller is offline or not reachable because of an issue, the next one in the preferred list with the highest priority score is used. If all the domain controllers in the preferred list are down, a domain controller outside the list is selected based on the priority score. When the domain controller that was used before the failover is restored, Cisco ISE switches back to that domain controller.


Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > Identity Management > External Identity Sources > Active Directory > Advanced Tools > Advanced Tuning.

Step 2

From the ISE Node drop-down list, choose the Cisco ISE node that you want to configure.

Step 3

Enter the following registry key in the Name field:

REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\PreferredDCs\<Domain Name>

Step 4

In the Value field, specify the domain controllers that you want to add to the preferred list, separated by a space. Here is an example:

Step 5

(Optional) In the Comment field, enter a description about the preferred list.

Step 6

Click Update Value.

Step 7

Click Restart Active Directory Connector.

If you do not want to use the preferred list, click Reset Parameter to Factory Default.

Active Directory Identity Search Attributes

Cisco ISE identifies users using the attributes SAM, CN, or both. Cisco ISE uses sAMAccountName attribute as the default attribute.

You can configure Cisco ISE to use SAM, CN, or both, if your environment requires it. When SAM and CN are used, and the value of the SAMAccountName attribute is not unique, Cisco ISE also compares the CN attribute value.


To modify this default behavior, change the value of the "IdentityLookupField" flag as mentioned in the "Configure Attributes for Active Directory Identity Search" section.

Configure Attributes for Active Directory Identity Search

  1. Choose Administration > Identity Management > External Identity Sources > Active Directory .

  2. In the Active Directory window, click Advanced Tools, and choose Advanced Tuning. Enter the following details:

    • ISE Node: Choose the ISE node that is connecting to Active Directory.

    • Name: Enter the registry key that you are changing. To change the Active Directory search attributes, enter: REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\IdentityLookupField

    • Value: Enter the attributes that ISE uses to identify a user:

      • SAM: To use only SAM in the query (this option is the default).

      • CN: To use only CN in the query.

      • SAMCN: To use CN and SAM in the query.

    • Comment: Describe what you are changing, for example: Changing the default behavior to SAM and CN

  3. Click Update Value to update the registry.

    A pop-up window appears. Read the message and accept the change. The AD connector service in ISE restarts.

Example Search Strings

For the following examples, assume that the username is userd2only:

  • SAM search string—
  • SAM and CN search string—

Supplemental Information for Setting Up Cisco ISE with Active Directory

For configuring Cisco ISE with Active Directory, you must configure group policies, and configure a supplicant for machine authentication.

Configure Group Policies in Active Directory

For more information about how to access the Group Policy management editor, refer to the Microsoft Active Directory documentation.


Step 1

Open the Group Policy management editor as shown in the following illustration.

Group Policy management editor

Step 2

Create a new policy and enter a descriptive name for it or add to an existing domain policy.

In example below, we used Wired Autoconfiguration for the policy name.

Step 3

Check the Define this policy setting check box, and click the Automatic radio button for the service startup mode as shown in the following illustration.

Wired Autoconfig Properties settings

Step 4

Apply the policy at the desired organizational unit or domain Active Directory level.

Configure Odyssey 5.X Supplicant for EAP-TLS Machine Authentications Against Active Directory

If you are using the Odyssey 5.x supplicant for EAP-TLS machine authentications against Active Directory, you must configure the following in the supplicant.


Step 1

Start Odyssey Access Client.

Step 2

Choose Odyssey Access Client Administrator from the Tools menu.

Step 3

Double-click the Machine Account icon.

Step 4

From the Machine Account window, you must configure a profile for EAP-TLS authentications:

  1. Choose Configuration > Profiles.

  2. Enter a name for the EAP-TLS profile.

  3. On the Authentication tab, choose EAP-TLS as the authentication method.

  4. On the Certificate tab, check the Permit login using my certificate check box, and choose a certificate for the supplicant machine.

  5. On the User Info tab, check the Use machine credentials check box.

    If this option is enabled, the Odyssey supplicant sends the machine name in the format host\<machine_name> and Active Directory identifies the request as coming from a machine and will look up computer objects to perform authentication. If this option is disabled, the Odyssey supplicant sends the machine name without the host\ prefix and Active Directory will look up user objects and the authentication fails.

Configure Agent for Machine Authentication

When you configure the Agent for machine authentication, you can do one of the following:

  • Use the default machine hostname, which includes the prefix “host/.”

  • Configure a new profile, in which case you must include the prefix “host/” and then the machine name.

Active Directory Requirements to Support Easy Connect and Passive Identity services

Easy Connect and Passive Identity services use Active Directory login audit events generated by the Active Directory domain controller to gather user login information. The Active Directory server must be configured properly so the ISE user can connect and fetch the user login information. The following sections show how to configure the Active Directory domain controller (configurations from the Active Directory side) to support Easy Connect and Passive Identity services.

To configure Active Directory domain controllers (configurations from the Active Directory side) to support Easy Connect and Passive Identity services, follow these steps:


You must configure all the domain controllers in all the domains.

  1. Set up Active Directory join points and domain controllers from ISE (see Add an Active Directory Join Point and Join Cisco ISE Node to the Join Point).

  2. Perform the following steps from Active Directory:

  3. (Optional) Troubleshoot automatic configurations performed by ISE on Active Directory with these steps:

Configure Active Directory for Passive Identity service

ISE Easy Connect and Passive Identity services use Active Directory login audit events generated by the Active Directory domain controller to gather user login information. ISE connects to Active Directory and fetches the user login information.

The following steps should be performed from the Active Directory domain controller:


Step 1

Make sure relevant Microsoft patches are installed on the Active Directory domain controllers.

Step 2

Make sure the Active Directory logs the user login events in the Windows Security Log.

Verify that the Audit Policy settings (part of the Group Policy Management settings) allows successful logons to generate the necessary events in the Windows Security Log (this is the default Windows setting, but you must explicitly ensure that this setting is correct).

Step 3

You must have an Active Directory user with sufficient permissions for ISE to connect to the Active Directory. The following instructions show how to define permissions either for admin domain group user or none admin domain group user:

  • Permissions Required when an Active Directory User is a Member of the Domain Admin Group

  • Permissions Required when an Active Directory User is Not a Member of the Domain Admin Group

Step 4

The Active Directory user used by ISE can be authenticated either by NT Lan Manager (NTLM) v1 or v2. You need to verify that the Active Directory NTLM settings are aligned with ISE NTLM settings to ensure successful authenticated connection between ISE and the Active Directory Domain Controller. The following table shows all Microsoft NTLM options, and which ISE NTLM actions are supported. If ISE is set to NTLMv2, all six options described in are supported. If ISE is set to support NTLMv1, only the first five options are supported.

Table 15. Supported Authentication Types Based on ISE and AD NTLM Version Settings

ISE NTLM Setting Options / Active Directory (AD) NTLM Setting Options NTLMv1 NTLMv2



Send LM & NTLM responses connection is allowed connection is allowed

Connection is allowed

Connection is allowed

Send LM & NTLM - use NTLMv2 session security if negotiated connection is allowed connection is allowed

Connection is allowed

Connection is allowed

Send NTLM response only connection is allowed connection is allowed

Connection is allowed

Connection is allowed

Send NTLMv2 response only connection is allowed connection is allowed

Connection is allowed

Connection is allowed

Send NTLMv2 response only. Refuse LM connection is allowed connection is allowed

Connection is allowed

Connection is allowed

Send NTLMv2 response only. Refuse LM & NTLM connection is refused connection is allowed