Add AD Components in Secure Access

The integration of Active Directory (AD) with Cisco Secure Access requires that you add the AD components—AD domains and domain controllers—in the organization's environment and register these AD components in Secure Access.

This guide describes the steps to add domain controllers or domains in Secure Access and configure the communications between the domain controllers and the AD Connector.

Table of Contents

Prerequisites

Support for Multiple AD Domains and AD Forests

To integrate multiple AD domains or AD forests with Secure Access through integrations with domain controllers, deploy an AD Connector (with an additional AD Connector for redundancy) for each AD domain that integrates with Secure Access.

Procedure

Add your AD domain controllers or domains to Secure Access. After you add the AD components you can view them in Secure Access.

Verify Auditing of Logon Events on Domain Controllers

The AD integration with domain controllers requires each domain controller to audit logon events.

  1. On each domain controller (excluding read-only domain controllers), enable the Audit account logon events to include Success and Failure if it is set to No Auditing.

By default, this group policy is set to log Success logon events and you should not modify it. Secure Access requires the Audit account logon events setting so that it knows whether a user has logged in successfully and can then compare that login to subsequent events generated by that user.

If the Audit Policy is not set is, the Windows Configuration Script for Domain Controller displays this error message:

"ERROR: " 

 

----------------------------------------------------------------------------- 

Your Group Policy for this Domain Controller is set to NOT audit successful logon events! 

You MUST edit the following Group Policy for all DCs: 

 

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events 

 

Define that policy to audit Success attempts, gpupdate, and re-run this script!

Download the Windows Configuration Script for Domain Controllers

The Windows Configuration Script automates the permissions for the Cisco_Connector user.

In Secure Access, download the Windows Configuration Script for Domain Controller to the domain controllers in your environments.

  1. Navigate to Connect > Users and Groups > Users, click Provision Users, and then click Active Directory.
    After an initial AD deployment, navigate to Connect > Users and Groups > Users, click Configuration management, and expand Active Directory.
  2. For Windows Configuration Script for Domain Controller, click Download.
  1. Download and save the configuration script to a location on the machine where you plan to run it.
    Note: The configuration script is written in Visual Basic Script and is in plain text.

Run the Windows Configuration Script for the Domain Controllers

Run the Windows Configuration Script for Domain Controller on all of the domain controllers at each site, (excluding read-only domain controllers (RODCs)) for each domain that will integrate with Secure Access. The configuration script prepares the domain controllers to communicate with the AD Connector.

  1. As an administrator, open an elevated command prompt.
    Important: Before running the script, you must create the Cisco_Connector. Also, there are several Group Policies that affect system operation that may need manual configuration. The script displays the status of these settings and, if needed, provides instructions on how to change them.
  2. Locate the Windows Configuration Script for Domain Controller file and run the script in the command prompt.
    Note:  Substitute the Windows configuration script filename (including the .wsf file extension) in the cscript command.
cscript forcenonva=true <Windows Configuration Script filename with extension> or cscript forcenonva=true <Windows Configuration Script filename with extension> --username <sAMAccountName for custom user>

Important: The script displays your current configuration, then offers to auto-configure the domain controller. If the auto-configure steps are successful, the script offers to registers the domain controller with Secure Access. Registration only occurs if you accept this offer.

Repeat the steps to add your domain controllers in Secure Access. It is essential that each domain controller in each AD domain environment has the configuration script run on it in order for the service to work as expected, both for high availability and overall reliability.

Add a Domain Controller in Secure Access

Choose the domain controller component type and set up the domain controller to sync with Secure Access.

For LDAP or LDAPS AD queries, AD integration requires that you register an AD domain controller or AD domain in Secure Access. The Cisco AD Connector performs an LDAP sync against this domain controller or domain to retrieve the Users and Groups. The Cisco AD Connector server communicates with the domain controller on port 389 over TCP for LDAP sync or port 636 over SSL for LDAP.

The Cisco AD Connector can only retrieve users and groups from a single domain controller. If you register multiple domain controllers in Secure Access, the Cisco AD Connector only attempts to perform an LDAP sync against the first domain controller in the list. Ensure that the domain controller you are registering is not subject to any AD replication delays. Read-only Domain Controller (RODC) registrations are supported for retrieval of users and groups.

If you need to periodically bring down your domain controller for maintenance or updates or your domain controllers are behind a load balancer that does not support LDAP queries, we recommend that you register the domain instead.

  1. Navigate to Connect > Users and Groups > Users, click Provision Users, and then click Active Directory.
    After an initial AD deployment, navigate to Connect > Users and Groups > Users, click Configuration Management, and expand Active Directory.
  2. Click Next.
  3. Choose Domain Controller to register the AD domain controller in Secure Access.
  1. Enter the hostname, internal IP address, and domain of the domain controller.
  2. For Active Directory tag, choose a Site to associate with the AD component.
  1. Click Next, and then follow the instructions to install the AD Connector.

Add a Domain in Secure Access

  1. Choose Domain to register the AD domain component.

  2. For Domain, enter the domain name.

  3. For Active Directory tag, choose a Site to associate with the AD component.

  4. Click Next, and then follow the instructions to install the Cisco AD Connector.



Manage AD Components < Add AD Components in Secure Access > Manage Sites for AD Components