Version: latest v0.2.2 v0.2.1 v0.2.0
Location in GUI : Administration » Identity Management » External Identity Sources » Active Directory
Name Type Constraint Mandatory Default Value active_directories List [active_directories]No
Name Type Constraint Mandatory Default Value name String Regex: ^[\w\d_\-\.]+$ Yes description String No domain String Yes join_domain Boolean true, falseNo truead_scopes_names String No Default_Scopead_username String No ad_password String No enable_domain_allowed_list Boolean true, falseNo truegroups List [groups]No attributes List [attributes]No rewrite_rules List [rewrite_rules]No enable_rewrites Boolean true, falseNo falseenable_pass_change Boolean true, falseNo trueenable_machine_auth Boolean true, falseNo trueenable_machine_access Boolean true, falseNo trueenable_dialin_permission_check Boolean true, falseNo falseplaintext_auth Boolean true, falseNo falseaging_time Integer min: 1, max: 8760 No 5enable_callback_for_dialin_client Boolean true, falseNo falseidentity_not_in_ad_behaviour Choice REJECT, SEARCH_JOINED_FOREST, SEARCH_ALLNo unreachable_domains_behaviour Choice PROCEED, DROPNo schema Choice ACTIVE_DIRECTORY, CUSTOMNo first_name String No department String No last_name String No organizational_unit String No job_title String No locality String No email String No state_or_province String No telephone String No country String No street_address String No enable_failed_auth_protection Boolean true, falseNo falsefailed_auth_threshold Integer min: 1 No 5auth_protection_type Choice WIRELESS, WIRED, BOTHNo
Name Type Constraint Mandatory Default Value name String Yes sid String No type Choice BUILTIN, DOMAIN LOCAL, GLOBAL, UNIVERSALNo
Name Type Constraint Mandatory Default Value name String Regex: ^[\w\d_\-\.]+$ Yes type Choice STRING, IP, BOOLEAN, INT, OCTET_STRINGYes internal_name String Yes default_value String No
Name Type Constraint Mandatory Default Value row_id Integer Yes rewrite_match String Yes rewrite_result String Yes
Example 1: Full domain join with groups (default behavior) - Creates AD join point, joins ISE to the domain, and add groups for policy use. Groups are specified as objects with name (SID will be looked up from AD):
description : Corporate AD with full join
ad_scopes_names : Default_Scope
ad_username : administrator
- name : corp.example.com/Users/Domain Admins
- name : corp.example.com/Users/Network Admins
Example 2: Create join point only without joining domain - Useful for initial setup or environments where domain join needs to be performed separately:
description : AD join point without domain join
ad_scopes_names : Default_Scope
# No groups specified - will be added later
Example 3: Add groups to existing join point without re-joining - Updates an existing AD configuration to add groups without triggering a domain re-join operation. Groups are objects with name field (SID will be looked up from AD):
description : Add groups to existing join point
ad_scopes_names : Default_Scope
join_domain : false # Don't re-join, just update groups
- name : corp.example.com/Users/Domain Admins
- name : corp.example.com/Users/Network Admins
- name : corp.example.com/Users/Helpdesk
Example 4: Add groups with SID without domain join or AD connectivity - Specify groups with their Security Identifiers (SIDs) directly, eliminating the need for domain join and AD lookup. Ideal for test/dev environments without AD access, or when you want faster deployments:
description : AD groups with pre-defined SIDs
ad_scopes_names : Default_Scope
join_domain : false # No AD join required!
- name : corp.example.com/Users/Domain Admins
sid : S-1-5-21-1234567890-1234567890-1234567890-512
- name : corp.example.com/Users/Network Admins
sid : corp.example.com/S-1-5-21-1234567890-1234567890-1234567890-1001
- name : corp.example.com/Builtin/Users
Location in GUI : Administration » Identity Management » External Identity Sources » Active Directory
Name Type Constraint Mandatory Default Value active_directories List [active_directories]No
Name Type Constraint Mandatory Default Value name String Regex: ^[\w\d_\-\.]+$ Yes description String No domain String Yes ad_scopes_names String No Default_Scopead_username String Yes ad_password String Yes enable_domain_allowed_list Boolean true, falseNo truegroups List String No attributes List [attributes]No rewrite_rules List [rewrite_rules]No enable_rewrites Boolean true, falseNo falseenable_pass_change Boolean true, falseNo trueenable_machine_auth Boolean true, falseNo trueenable_machine_access Boolean true, falseNo trueenable_dialin_permission_check Boolean true, falseNo falseplaintext_auth Boolean true, falseNo falseaging_time Integer min: 1, max: 8760 No 5enable_callback_for_dialin_client Boolean true, falseNo falseidentity_not_in_ad_behaviour Choice REJECT, SEARCH_JOINED_FOREST, SEARCH_ALLNo unreachable_domains_behaviour Choice PROCEED, DROPNo schema Choice ACTIVE_DIRECTORY, CUSTOMNo first_name String No department String No last_name String No organizational_unit String No job_title String No locality String No email String No state_or_province String No telephone String No country String No street_address String No enable_failed_auth_protection Boolean true, falseNo falsefailed_auth_threshold Integer min: 1 No 5auth_protection_type Choice WIRELESS, WIRED, BOTHNo
Name Type Constraint Mandatory Default Value name String Regex: ^[\w\d_\-\.]+$ Yes type Choice STRING, IP, BOOLEAN, INT, OCTET_STRINGYes internal_name String Yes default_value String Yes
Name Type Constraint Mandatory Default Value row_id String Yes rewrite_match String Yes rewrite_result String Yes
description : My AD join point
ad_scopes_names : Default_Scope
ad_username : administrator
- dcloud.cisco.com/Builtin/Users
- dcloud.cisco.com/Builtin/HELPDESK
Location in GUI : Administration » Identity Management » External Identity Sources » Active Directory
Name Type Constraint Mandatory Default Value active_directories List [active_directories]No
Name Type Constraint Mandatory Default Value name String Regex: ^[\w\d_\-\.]+$ Yes description String No domain String Yes ad_scopes_names String No Default_Scopead_username String Yes ad_password String Yes enable_domain_allowed_list Boolean true, falseNo truegroups List String No attributes List [attributes]No rewrite_rules List [rewrite_rules]No enable_rewrites Boolean true, falseNo falseenable_pass_change Boolean true, falseNo trueenable_machine_auth Boolean true, falseNo trueenable_machine_access Boolean true, falseNo trueenable_dialin_permission_check Boolean true, falseNo falseplaintext_auth Boolean true, falseNo falseaging_time Integer min: 1, max: 8760 No 5enable_callback_for_dialin_client Boolean true, falseNo falseidentity_not_in_ad_behaviour Choice REJECT, SEARCH_JOINED_FOREST, SEARCH_ALLNo unreachable_domains_behaviour Choice PROCEED, DROPNo schema Choice ACTIVE_DIRECTORY, CUSTOMNo first_name String No department String No last_name String No organizational_unit String No job_title String No locality String No email String No state_or_province String No telephone String No country String No street_address String No enable_failed_auth_protection Boolean true, falseNo falsefailed_auth_threshold Integer min: 1 No 5auth_protection_type Choice WIRELESS, WIRED, BOTHNo
Name Type Constraint Mandatory Default Value name String Regex: ^[\w\d_\-\.]+$ Yes type Choice STRING, IP, BOOLEAN, INT, OCTET_STRINGYes internal_name String Yes default_value String Yes
Name Type Constraint Mandatory Default Value row_id String Yes rewrite_match String Yes rewrite_result String Yes
description : My AD join point
ad_scopes_names : Default_Scope
ad_username : administrator
- dcloud.cisco.com/Builtin/Users
- dcloud.cisco.com/Builtin/HELPDESK
Location in GUI : Administration » Identity Management » External Identity Sources » Active Directory
Name Type Constraint Mandatory Default Value active_directories List [active_directories]No
Name Type Constraint Mandatory Default Value name String Regex: ^[\w\d_\-\.]+$ Yes description String No domain String Yes ad_scopes_names String No Default_Scopead_username String Yes ad_password String Yes enable_domain_allowed_list Boolean true, falseNo truegroups List String No attributes List [attributes]No rewrite_rules List [rewrite_rules]No enable_rewrites Boolean true, falseNo falseenable_pass_change Boolean true, falseNo trueenable_machine_auth Boolean true, falseNo trueenable_machine_access Boolean true, falseNo trueenable_dialin_permission_check Boolean true, falseNo falseplaintext_auth Boolean true, falseNo falseaging_time Integer min: 1, max: 8760 No 5enable_callback_for_dialin_client Boolean true, falseNo falseidentity_not_in_ad_behaviour Choice REJECT, SEARCH_JOINED_FOREST, SEARCH_ALLNo unreachable_domains_behaviour Choice PROCEED, DROPNo schema Choice ACTIVE_DIRECTORY, CUSTOMNo first_name String No department String No last_name String No organizational_unit String No job_title String No locality String No email String No state_or_province String No telephone String No country String No street_address String No enable_failed_auth_protection Boolean true, falseNo falsefailed_auth_threshold Integer min: 1 No 5auth_protection_type Choice WIRELESS, WIRED, BOTHNo
Name Type Constraint Mandatory Default Value name String Regex: ^[\w\d_\-\.]+$ Yes type Choice STRING, IP, BOOLEAN, INT, OCTET_STRINGYes internal_name String Yes default_value String Yes
Name Type Constraint Mandatory Default Value row_id String Yes rewrite_match String Yes rewrite_result String Yes
description : My AD join point
ad_scopes_names : Default_Scope
ad_username : administrator
- dcloud.cisco.com/Builtin/Users
- dcloud.cisco.com/Builtin/HELPDESK
