At this point, we've added our roles, created Certificate Templates, pushed out a GPO, and laid the groundwork for Pxgrid Identity Mapping (PassiveID in ISE 2.1) . This is the point where I'm going to finish up my Active Directory configuration.
The first thing I usually do is create some test users and groups in Active Directory Users and Computers. Here are the following users and groups I created for the purposes of my lab:
- Katherine McNamara - Domain Admin, BYOD-Users
- Jessica Jones - Employee, BYOD-Users
- Tony Stark - Vendor
Another thing that needs to be done before moving over to ISE is making sure that the time is set correctly. If you haven't already checked at this point, your certificates that have been issued might be in a different year, expired, etc. ISE will not allow joining to the domain if the clock skew is more than 5 minutes off from Active Directory. There are a couple ways of setting the time correctly:
- You can manually set it between ISE and the AD server but this can cause issues if either server is turned off for an extended period of time
- You can have it sync up with the ESXi host - realistic for a lab, not always for production
- You can use Powershell to do so as described in the following directions:
I would also recommend making sure that your server is issuing both computer and user certificates. A good way to check is to attach a computer to the local network and join it to the domain. After it's been joined and restarts, login with your user credentials. If you open up Certification Authority again, you should be able to see the issued certificates under the Issued Certificates folder
Likewise, you can open an MMC on the local computer that you joined and also add a snap-in to check the local Computer and User certificates to make sure they are there.
If you find yourself not having certificates issues, some good troubleshoot steps are:
- Check the Failed Requests folder in Certification Authority
- Check to make sure that the GPO is being pushed to the local machine by doing a RSOP
- Check the permissions on your certificate template to be sure that your Domain User and Domain Computer groups have Read, Enroll and Autoenroll permissions for the appropriate certificate templates. Also make sure that other certificate templates do not have the same autoenroll permissions (pxGrid)
The next thing I like to do after this is to ensure that my Certificate Web Enrollment Page is working. Open the browser on a computer attached to the local network or on your Server 2012 VM and navigate to https://AD-Server-IP/certsrv and make sure you are getting the following page:
In Server Manager, click on Local Server on the left-hand side. In the Properties panel, click on Remote Desktop. Make sure you enable Remote Desktop access or you're going to have to console into the controller every time you want to access it.
I usually like adding all of my lab appliances to DNS as well for the sake of management later one. Go to the Start menu and open up DNS. For my lab, I added the following AAA records:
- 3650 Switch – 10.1.100.1
- FlowCollector – 10.1.100.8
- Stealthwatch Management Console – 10.1.100.9
- Firepower Management Console – 10.1.100.10
- Nexus 1000v – 10.1.100.11
- Prime Infrastructure – 10.1.100.13
- Web Security Appliance – 10.1.100.16
- ISE – 10.1.100.21
- Wireless Controller – 10.1.100.41
Congratulations! If you've made it this far, we've done a TON. We've set up a new domain, created our own certificate authority, customized and published certificate templates, created a group policy and applied it and configured domain controller to be ready for pxGrid integration.