Active Directory

Location in GUI: Administration » Identity Management » External Identity Sources » Active Directory

Diagram

Classes

identity_management (ise)

Name	Type	Constraint	Mandatory	Default Value
active_directories	List	[active_directories]	No

active_directories (ise.identity_management)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: ^[\w\d_\-\.]+$	Yes
description	String		No
domain	String		Yes
join_domain	Boolean	true, false	No	true
ad_scopes_names	String		No	Default_Scope
ad_username	String		No
ad_password	String		No
enable_domain_allowed_list	Boolean	true, false	No	true
groups	List	[groups]	No
attributes	List	[attributes]	No
rewrite_rules	List	[rewrite_rules]	No
enable_rewrites	Boolean	true, false	No	false
enable_pass_change	Boolean	true, false	No	true
enable_machine_auth	Boolean	true, false	No	true
enable_machine_access	Boolean	true, false	No	true
enable_dialin_permission_check	Boolean	true, false	No	false
plaintext_auth	Boolean	true, false	No	false
aging_time	Integer	min: 1, max: 8760	No	5
enable_callback_for_dialin_client	Boolean	true, false	No	false
identity_not_in_ad_behaviour	Choice	REJECT, SEARCH_JOINED_FOREST, SEARCH_ALL	No
unreachable_domains_behaviour	Choice	PROCEED, DROP	No
schema	Choice	ACTIVE_DIRECTORY, CUSTOM	No
first_name	String		No
department	String		No
last_name	String		No
organizational_unit	String		No
job_title	String		No
locality	String		No
email	String		No
state_or_province	String		No
telephone	String		No
country	String		No
street_address	String		No
enable_failed_auth_protection	Boolean	true, false	No	false
failed_auth_threshold	Integer	min: 1	No	5
auth_protection_type	Choice	WIRELESS, WIRED, BOTH	No

groups (ise.identity_management.active_directories)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
sid	String		No
type	Choice	BUILTIN, DOMAIN LOCAL, GLOBAL, UNIVERSAL	No

attributes (ise.identity_management.active_directories)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: ^[\w\d_\-\.]+$	Yes
type	Choice	STRING, IP, BOOLEAN, INT, OCTET_STRING	Yes
internal_name	String		Yes
default_value	String		No

rewrite_rules (ise.identity_management.active_directories)

Name	Type	Constraint	Mandatory	Default Value
row_id	Integer		Yes
rewrite_match	String		Yes
rewrite_result	String		Yes

Examples

Example 1: Full domain join with groups (default behavior) - Creates AD join point, joins ISE to the domain, and add groups for policy use. Groups are specified as objects with name (SID will be looked up from AD):

ise:
  identity_management:
    active_directories:
      - name: corp.example.com
        description: Corporate AD with full join
        domain: corp.example.com
        ad_scopes_names: Default_Scope
        ad_username: administrator
        ad_password: C1sco12345
        groups:
          - name: corp.example.com/Users/Domain Admins
          - name: corp.example.com/Users/Network Admins

Example 2: Create join point only without joining domain - Useful for initial setup or environments where domain join needs to be performed separately:

ise:
  identity_management:
    active_directories:
      - name: corp.example.com
        description: AD join point without domain join
        domain: corp.example.com
        ad_scopes_names: Default_Scope
        join_domain: false
        # No groups specified - will be added later

Example 3: Add groups to existing join point without re-joining - Updates an existing AD configuration to add groups without triggering a domain re-join operation. Groups are objects with name field (SID will be looked up from AD):

ise:
  identity_management:
    active_directories:
      - name: corp.example.com
        description: Add groups to existing join point
        domain: corp.example.com
        ad_scopes_names: Default_Scope
        join_domain: false  # Don't re-join, just update groups
        groups:
          - name: corp.example.com/Users/Domain Admins
          - name: corp.example.com/Users/Network Admins
          - name: corp.example.com/Users/Helpdesk

Example 4: Add groups with SID without domain join or AD connectivity - Specify groups with their Security Identifiers (SIDs) directly, eliminating the need for domain join and AD lookup. Ideal for test/dev environments without AD access, or when you want faster deployments:

ise:
  identity_management:
    active_directories:
      - name: corp.example.com
        description: AD groups with pre-defined SIDs
        domain: corp.example.com
        ad_scopes_names: Default_Scope
        join_domain: false  # No AD join required!
        groups:
          - name: corp.example.com/Users/Domain Admins
            sid: S-1-5-21-1234567890-1234567890-1234567890-512
            type: GLOBAL
          - name: corp.example.com/Users/Network Admins
            sid: corp.example.com/S-1-5-21-1234567890-1234567890-1234567890-1001
            # type is optional
          - name: corp.example.com/Builtin/Users
            sid: S-1-5-32-545
            type: "BUILTIN"

Location in GUI: Administration » Identity Management » External Identity Sources » Active Directory

Diagram

Classes

identity_management (ise)

Name	Type	Constraint	Mandatory	Default Value
active_directories	List	[active_directories]	No

active_directories (ise.identity_management)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: ^[\w\d_\-\.]+$	Yes
description	String		No
domain	String		Yes
ad_scopes_names	String		No	Default_Scope
ad_username	String		Yes
ad_password	String		Yes
enable_domain_allowed_list	Boolean	true, false	No	true
groups	List	String	No
attributes	List	[attributes]	No
rewrite_rules	List	[rewrite_rules]	No
enable_rewrites	Boolean	true, false	No	false
enable_pass_change	Boolean	true, false	No	true
enable_machine_auth	Boolean	true, false	No	true
enable_machine_access	Boolean	true, false	No	true
enable_dialin_permission_check	Boolean	true, false	No	false
plaintext_auth	Boolean	true, false	No	false
aging_time	Integer	min: 1, max: 8760	No	5
enable_callback_for_dialin_client	Boolean	true, false	No	false
identity_not_in_ad_behaviour	Choice	REJECT, SEARCH_JOINED_FOREST, SEARCH_ALL	No
unreachable_domains_behaviour	Choice	PROCEED, DROP	No
schema	Choice	ACTIVE_DIRECTORY, CUSTOM	No
first_name	String		No
department	String		No
last_name	String		No
organizational_unit	String		No
job_title	String		No
locality	String		No
email	String		No
state_or_province	String		No
telephone	String		No
country	String		No
street_address	String		No
enable_failed_auth_protection	Boolean	true, false	No	false
failed_auth_threshold	Integer	min: 1	No	5
auth_protection_type	Choice	WIRELESS, WIRED, BOTH	No

attributes (ise.identity_management.active_directories)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: ^[\w\d_\-\.]+$	Yes
type	Choice	STRING, IP, BOOLEAN, INT, OCTET_STRING	Yes
internal_name	String		Yes
default_value	String		Yes

rewrite_rules (ise.identity_management.active_directories)

Name	Type	Constraint	Mandatory	Default Value
row_id	String		Yes
rewrite_match	String		Yes
rewrite_result	String		Yes

Examples

ise:
  identity_management:
    active_directories:
      - name: AD
        description: My AD join point
        domain: dcloud.cisco.com
        ad_scopes_names: Default_Scope
        ad_username: administrator
        ad_password: C1sco12345
        groups:
          - dcloud.cisco.com/Builtin/Users
          - dcloud.cisco.com/Builtin/HELPDESK