SV-242633r714209_rule
V-242633
SRG-APP-000516-NDM-000336
CSCO-NM-000270
CAT II
10
Configure external authentication to a central AAA identity source.
Configure password-based authentication for administrators who authenticate using an external identity store such as Active Directory or LDAP.
1. Choose Administration >> System >> Admin Access >> Authentication.
2. On the Authentication Method tab, select Password Based and choose one of the external identity sources that was previously configured (for example, the Active Directory instance that was created).
3. Configure any other specific password policy settings for administrators who authenticate using an external identity store.
4. Click "Save".
Create an external Active Directory or LDAP administrator group. This ensures that Cisco ISE uses the username that is defined in the external Active Directory or LDAP identity store to validate the administrator username and password that was entered upon login.
Cisco ISE imports the Active Directory or LDAP group information from the external resource and stores it as a dictionary attribute. Specify that attribute as one of the policy elements when it is time to configure the RBAC policy for this external administrator authentication method.
1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Groups.
2. Click "Add".
3. Enter a name and optional description.
4. Choose the "External" radio button.
5. From the External Groups drop-down list box, choose the Active Directory group to map for this external administrator group. Click the "+" sign to map additional Active Directory groups to this external administrator group.
6. Click "Save".
Configure menu access and data access permissions that can be assigned to the external administrator group.
1. Choose Administration >> System >> Admin Access >> Permissions.
2. Click one of the following:
- Menu Access - All administrators who belong to the external administrator group can be granted permission at the
menu or submenu level. The menu access permission determines the menus or submenus that they can access.
- Data Access - All administrators who belong to the external administrator group can be granted permission at the
data level. The data access permission determines the data that they can access.
3. Specify menu access or data access permissions for the external administrator group.
4. Click "Save".
In order to configure Cisco ISE to authenticate the administrator using an external identity store and to specify custom menu and data access permissions at the same time, configure a new RBAC policy. This policy must have the external administrator group for authentication and the Cisco ISE menu and data access permissions to manage the external authentication and authorization.
1. Choose Administration >> System >> Admin Access >> Authorization >> Policy.
2. Specify the rule name, external administrator group, and permissions. Remember that the appropriate external administrator group must be assigned to the correct administrator user IDs. Ensure the administrator in question is associated with the correct external administrator group.
3. Click "Save".
Verify an external authentication identity source is configured.
1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Groups.
2. View the External Group configuration.
If the Cisco ISE is not configured to use an external authentication server to authenticate administrators prior to granting administrative access, this is a finding.
V-242633
False
CSCO-NM-000270
Verify an external authentication identity source is configured.
1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Groups.
2. View the External Group configuration.
If the Cisco ISE is not configured to use an external authentication server to authenticate administrators prior to granting administrative access, this is a finding.
M
5384