Create a Realm and Realm Directory
The following procedure enables you to create a realm (a connection between the CDO and an Active Directory forest) and a directory (a connection between the CDO and an LDAP server or an Active Directory domain controller).
(Recommended.) To connect securely from the Cisco Defense Orchestrator to your Active Directory server, first perform the following tasks:
Microsoft has announced that Active Directory servers will start enforcing LDAP binding and LDAP signing in 2020. Microsoft is making these a requirement because when using default settings, an elevation of privilege vulnerability exists in Microsoft Windows that could allow a man-in-the-middle attacker to successfully forward an authentication request to a Windows LDAP server. For more information, see 2020 LDAP channel binding and LDAP signing requirement for Windows on the Microsoft support site.
For more information about realm and directory configuration fields, see Realm Fields and Realm Directory and Synchronize fields.
A step-by-step example of setting up a realm with cross-domain trust is shown in Configure the CDO for Cross-Domain-Trust: The Setup.
Note | You must specify a unique AD Primary Domain for every Microsoft Active Directory (AD) realm. Although the system allows you to specify the same AD Primary Domain for different AD realms, the system won't function properly. This happens because system assigns a unique ID to every user and group in each realm; therefore, the system cannot definitively identify any particular user or group. The system prevents you from specifying more than one realm with the same AD Primary Domain because users and groups won't be identified properly. This happens because system assigns a unique ID to every user and group in each realm; therefore, the system cannot definitively identify any particular user or group. |
Before you begin
If you're using Kerberos authentication for captive portal, see the following section before you begin: Prerequisites for Kerberos Authentication.
If you are managing devices with Cisco Defense Orchestrator (CDO), create a proxy sequence first as discussed in Create a Proxy Sequence
Procedure
| Step 1 | Log in to the Cisco Defense Orchestrator. | ||||||||||||||
| Step 2 | Click System ( | ||||||||||||||
| Step 3 | To create a new realm, click Add Realm. | ||||||||||||||
| Step 4 | To perform other tasks (such as enable, disable, or delete a realm), see Manage a Realm. | ||||||||||||||
| Step 5 | Enter realm information as discussed in Realm Fields. | ||||||||||||||
| Step 6 | (Optional.) From the Proxy list, click a managed device or proxy sequence to communicate with ISE/ISE-PIC if CDO is unable to do so. For example, your CDO might be in a public cloud but the ISE/ISE-PIC server might be on an internal intranet. | ||||||||||||||
| Step 7 | In the Directory Server Configuration section, enter directory information as discussed in Realm Directory and Synchronize fields. | ||||||||||||||
| Step 8 | (Optional.) To configure another domain for this realm, click Add another directory. | ||||||||||||||
| Step 9 | Click Configure Groups and Users. Enter the following information:
| ||||||||||||||
| Step 10 | Click the Realm Configuration tab. | ||||||||||||||
| Step 11 | Enter Group Attribute, and (if you use Kerberos authentication for captive portal) enter AD Join Username and AD Join Password. For more information, see Realm Directory and Synchronize fields. | ||||||||||||||
| Step 12 | If you use Kerberos authentication, click Test. If the test fails, wait a short time and try again. | ||||||||||||||
| Step 13 | Enter user session timeout values, in minutes, for ISE/ISE-PIC Users, Terminal Server Agent Users, Captive Portal Users, Failed Captive Portal Users, and Guest Captive Portal Users. | ||||||||||||||
| Step 14 | When you're finished configuring the realm, click Save. |
)What to do next
-
Edit, delete, enable, or disable a realm; see Manage a Realm.
-
Optionally, monitor the task status; see Viewing Task Messages.