• Overview
  • Configuration

Related-apps

Cisco ISE

Strengthen policy enforcement by aligning Cisco ISE with directory identities.

Identity provisioningIdentity management

Overview

Cisco Identity Services Engine (ISE) is a leading network access control solution that helps organizations enforce security policies across wired, wireless, and VPN networks. By integrating Cisco ISE with ADManager Plus, enterprises can centralize identity management and automate user provisioning tasks, ensuring that access to network resources is always governed by the most up-to-date data in Active Directory (AD).

 

Sync Cisco ISE user data

With the Get Users endpoint, ADManager Plus can retrieve current user records from Cisco ISE. This facilitates better visibility for IT teams, enabling periodic audits, identity verification, and reconciliation of discrepancies between Cisco ISE and AD.

 

Policy-driven user management

ADManager Plus enables the automatic creation, modification, and removal of user accounts in Cisco ISE based on events or changes in Active Directory. This ensures that network access privileges are granted, adjusted, or revoked in real time—supporting stronger security posture and eliminating the risks of outdated user credentials remaining active in the network environment.

 

How to configure Cisco ISE integration in ADManager Plus

Prerequisites:

  • Cisco ISE uses basic authentication credentials to authorize API request
  • Authentication credentials required: username and password

Privileges:

  • To import users (Inbound action): Ensure the account used for authorization has permission to read all user accounts.
  • To perform any action or query in Cisco ISE (Outbound Action): Ensure the account used for authorization has permission to perform the desired action.
Note: ADManager Plus comes with a pre-configured set of APIs that helps perform basic actions with the integration. If the action you require is not available, please gather the necessary API details from Cisco ISE's API documentation to configure under inbound or outbound webhooks to perform the required actions.

Authorization configuration

  • Log in to ADManager Plus and navigate to Directory/Application Settings.
  • Go to Application Integrations, then search and select Cisco ISE.
  • Toggle the Enable Cisco ISE Integration button on.
  • In the Cisco ISE Configuration page, click Authorization.
  • Enter the authentication credentials.
  • Click Configure.

Inbound webhook configuration

Inbound webhook enables you to fetch user data from Cisco ISE to ADManager Plus. To configure an inbound webhook for Cisco ISE:

  • Under Inbound Webhook, click Cisco ISE Endpoint Configuration.
  • In the Endpoint Configuration tab, an endpoint, Cisco ISE- LIST ADMIN USERS ENDPOINT, comes pre-configured with an Endpoint URL, API Method, Headers, and Parameters fields to fetch user accounts from Cisco ISE. To use this pre-configured endpoint, replace {ise-ip-address},{port} with the values of your Cisco ISE instance in the Endpoint URL field. If you would like to use a new endpoint to import users, you can configure one using the + Add API endpoint button and filling in the required fields as per Cisco ISE's API references. Click here to learn how. Note:
    • Authorization Header is preconfigured as a header for authenticating API requests as configured during Authorization Configuration.
    • Macros: You can add macros to your endpoint configuration to dynamically change it as per your requirement using the macro chooser component.
    • Refer to Cisco ISE's API references and configure additional headers and parameters, if required.
  • Once done, click Test & Save. A response window will display all the requested parameters that can be fetched using the API call. Click Proceed. Note:
    • Refer to Cisco ISE's API references to know the Parameters that must be configured to fetch only specific parameters.
    • You can configure multiple endpoints for Cisco ISE using the + Add API endpoint button. Click here to learn how.
  • Click Data Source - LDAP Attribute Mapping to match endpoints and to map AD LDAP attributes with the respective attributes in Cisco ISE. [ADManager Plus also lets you customize attribute format from Cisco ISE]
  • Click + Add New Configuration and perform the following:
    • Enter the Configuration Name and Description and select the Automation Category from the drop-down menu.
    • In the Select Endpoint field, select the desired endpoint and a Primary Key that is unique to a user (e.g. employeeIdentifier). Note: When multiple endpoints are configured, this attribute must hold the same value in all the endpoints.
    • In the Attribute Mapping field, select the attribute from the LDAP Attribute Name drop-down menu and map it with the respective column in Cisco ISE.
    • If you would like to create a new custom format for this, click Mapping Attribute.
    • Click Save.
Note: The attribute mapping configured in this section can be selected as the data source during automation configuration to perform the desired action on the list of users received from the API response.

Outbound webhook configuration

Outbound webhook enables you to update the changes made in AD using ADManager Plus to Cisco ISE or fetch or forward required details from Cisco ISE and synchronize them with AD. To configure an outbound webhook for Cisco ISE:

  • Under Outbound Webhook, click Cisco ISE Webhook Configuration.
  • Click + Add Webhook.
  • Enter a name and description for this webhook.
  • Decide on the action that has to be performed and refer to Cisco ISE's API references for the API details such as the URL, headers, parameters, and other requirements that will be needed.
  • Select the HTTP method that will enable you to perform the desired action on the endpoint from the drop-down menu.
  • Enter the endpoint URL.
  • Configure the Headers, Parameters, and Message Type in the appropriate format based on the API call that you would like to perform.
  • Click Test and Save.
  • A pop up window will then display a list of AD users and groups to test the configured API call. Select the desired user or group over which this API request has to be tested and click OK. This will make a real-time call to the endpoint URL, and the selected objects will be modified as per the configuration.
  • The webhook response and request details will then be displayed. Verify them for the expected API behavior and click Save.
Note: The webhooks configured in this section can be included in Orchestration Templates, which can be used in event-driven and scheduled automations. They can also be applied directly to desired users to perform a sequence of actions on them (under Management > Advanced Management > Orchestration).