Integration of Cisco ISE with AD and AuthNull RADIUS Bridge

1. Introduction

Cisco ISE (Identity Services Engine) is a comprehensive network access control solution that allows centralized management of authentication, authorization, and accounting (AAA). It integrates seamlessly with Active Directory (AD) for user validation and can forward authentication requests to AuthNull RADIUS Bridge, to enable Two-Factor Authentication (2FA).

This document provides a detailed guide to integrate Active Directory (AD) validation for user authentication and 2FA through the AuthNull RADIUS Bridge with Cisco ISE.

2. Prerequisites

Before starting the configuration, ensure you have the following:

• Cisco ISE up and running.
• Active Directory (AD) accessible for user validation.
• AuthNull RADIUS Bridge setup for 2FA authentication.
• RADIUS Clients (e.g., network devices or VPNs) configured in Cisco ISE.

3. Integration of Active Directory (AD) Validation in Cisco ISE

Step 1: Add Active Directory as an Identity Source in Cisco ISE

• Log in to Cisco ISE using the administrator account.
• Go to Administration > Identity Management > Identity Sources > External Identity Sources.
• Click on Add to add a new Active Directory server.
• In the Add Identity Source window:
  • Identity Source Type: Select Active Directory.
  • Name: Provide a name for the AD source (e.g., “Company_AD”).
  • Primary Domain Controller: Enter the hostname or IP address of your Primary Domain Controller.
  • Secondary Domain Controller (optional): Enter the hostname or IP of a secondary DC for redundancy.
  • Authentication Type: Select Simple Bind or Secure Bind depending on your environment.
  • Username and Password: Enter the credentials for the AD user account that can authenticate users.
  • Test Connection: Click to verify the connection between Cisco ISE and AD.
  • Click Submit to save the AD configuration.

Step 2: Configure Authentication Policy for AD Validation

• Go to Policy > Authentication.
• Click Add to create a new Authentication Policy.
• In the Policy window:
  • Condition: Set the condition to validate users through Active Directory (e.g., AD Username and Password).
  • Identity Source: Select the Active Directory identity source that was added in Step 1.
  • Authentication Method: Choose AD-based authentication (e.g., PEAP or EAP-MSCHAPv2).
• Click Save to apply the authentication policy.

Step 3: Test AD Authentication

• On the client machine, attempt to connect to the network (e.g., via VPN, wired, or wireless).
• Cisco ISE will verify the user’s credentials against Active Directory.
• If the credentials are correct, the user will be authenticated and granted access based on the configured authorization policies.

4. Integrating Two-Factor Authentication (2FA) with AuthNull RADIUS Bridge

Step 1: Add AuthNull RADIUS Bridge as a Remote RADIUS Server in Cisco ISE

• Go to Administration > Network Resources > RADIUS Servers.
• Click Add to create a new Remote RADIUS Server.
• In the Add RADIUS Server window:
  • Name: Enter a name (e.g., “AuthNull RADIUS Bridge”).
  • IP Address: Enter the IP address of the AuthNull RADIUS Bridge.
  • Port: Enter the RADIUS port (typically 1812 for authentication).
  • Shared Secret: Provide the shared secret for secure communication between Cisco ISE and AuthNull.
• Click Submit to save the RADIUS server configuration.

Step 2: Configure Connection Request Policy for 2FA

• Go to Policy > Authentication.
• Click Add to create a new Connection Request Policy.
• In the Connection Request Policy window:
  • Policy Name: Enter a descriptive name (e.g., “Forward to AuthNull for 2FA”).
  • Condition: Define the conditions for when to forward requests to AuthNull (e.g., all requests from certain clients or users).
  • Authentication Method: Select RADIUS and configure the connection to forward requests to the AuthNull RADIUS Bridge.
  • Under the Authentication section, select the Remote RADIUS Server (AuthNull RADIUS Bridge) to forward authentication requests.
• Click Submit to save the policy.

Step 3: Configure Network Policy for 2FA

• Go to Policy > Network Policies.
• Click Add to create a new Network Policy.
• In the Network Policy window:
  • Policy Name: Enter a name (e.g., “Allow 2FA Access”).
  • Condition: Define the condition (e.g., allowing users from AD group “VPN Users” or specific network devices).
  • Authorization: Choose the Access Granting policy.
  • Authentication: Choose 2FA Authentication by selecting the AuthNull RADIUS Bridge.
• Click Submit to save the network policy.

Step 4: Test 2FA Integration

• After the AD authentication succeeds, Cisco ISE will forward the request to AuthNull RADIUS Bridge.
• AuthNull will handle the 2FA step (such as sending an OTP to the user or validating a hardware token).
• If the 2FA is successful, AuthNull will return the appropriate response to Cisco ISE.
• Cisco ISE will then authorize the user based on the defined policies and grant or deny access.

5. Troubleshooting

• Authentication Failure: If users are unable to authenticate, check the AD credentials and ensure that the AD configuration is correct in Cisco ISE. Use ISE logs to verify that the connection to AD is successful.
• 2FA Failure: If 2FA fails, verify that the AuthNull RADIUS Bridge is correctly configured and reachable from Cisco ISE. Also, ensure that the shared secret between Cisco ISE and AuthNull is correct.
• Timeouts: If the authentication or 2FA process is timing out, increase the timeout settings in both Cisco ISE and AuthNull to ensure sufficient time for request processing.

6. Conclusion

By following this guide, you have successfully integrated Active Directory (AD) validation and Two-Factor Authentication (2FA) using Cisco ISE and AuthNull RADIUS Bridge. This solution ensures that users authenticate securely through AD and are subjected to an additional layer of security via 2FA, thus strengthening the overall network access control strategy.

---

Table of contents