https://community.cisco.com/t5/network-access-control/ise-active-directory-ldaps/m-p/2216883#M112317 <P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">I think I understood the customer concern. This is quoted from Microsoft<A href="http://support.microsoft.com/kb/321051" rel="nofollow" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681; text-decoration: none;" target="_blank">http://support.microsoft.com/kb/321051</A></P><P></P><P><SPAN style="background-color: #ffffff; font-family: Arial, verdana, sans-serif; font-size: 12px;">"The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology."</SPAN></P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">So the question now is how can we be sure the ISE communication is secure? ... I understand port 636 is used to transport LDAP-Secure ...</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">The ISE User Gude indicates that one of the ports required to be open in the case a firewall exists between ISE and ADE is 636 (LDAPS). -(ISE User Guide Page 5-6)</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">In my case there is no FW between ISE and AD, so how can I be sure LDAPS is being used?</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif; min-height: 8pt; height: 8pt;">ISE User Guide explais a little about security if the external identity source is an LDAP, but nothing about security is indicated in Active Directory configuration. </P><P></P><P></P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Regards.</P><P></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp; </SPAN></P> Mon, 11 Mar 2019 03:32:42 GMT descalante2007 2019-03-11T03:32:42Z https://community.cisco.com/t5/network-access-control/ise-active-directory-ldaps/m-p/2216883#M112317 <P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">I think I understood the customer concern. This is quoted from Microsoft<A href="http://support.microsoft.com/kb/321051" rel="nofollow" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681; text-decoration: none;" target="_blank">http://support.microsoft.com/kb/321051</A></P><P></P><P><SPAN style="background-color: #ffffff; font-family: Arial, verdana, sans-serif; font-size: 12px;">"The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology."</SPAN></P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">So the question now is how can we be sure the ISE communication is secure? ... I understand port 636 is used to transport LDAP-Secure ...</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">The ISE User Gude indicates that one of the ports required to be open in the case a firewall exists between ISE and ADE is 636 (LDAPS). -(ISE User Guide Page 5-6)</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">In my case there is no FW between ISE and AD, so how can I be sure LDAPS is being used?</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif; min-height: 8pt; height: 8pt;">ISE User Guide explais a little about security if the external identity source is an LDAP, but nothing about security is indicated in Active Directory configuration. </P><P></P><P></P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Regards.</P><P></P><P><SPAN style="font-size: 10pt;">&nbsp;&nbsp; </SPAN></P> Mon, 11 Mar 2019 03:32:42 GMT https://community.cisco.com/t5/network-access-control/ise-active-directory-ldaps/m-p/2216883#M112317 descalante2007 2019-03-11T03:32:42Z https://community.cisco.com/t5/network-access-control/ise-active-directory-ldaps/m-p/2216884#M112333 <HTML><HEAD></HEAD><BODY><P>I'm sure somebody else will have a better answer, but if you're in doubt about how the AD feature works, why not just mirror the port and capture some traffic - prove how it works for yourself? Alternatively, just create your own LDAPS connection instead of using the AD feature?<BR /><BR />Sent from Cisco Technical Support iPad App</P></BODY></HTML> Sat, 15 Jun 2013 06:29:10 GMT https://community.cisco.com/t5/network-access-control/ise-active-directory-ldaps/m-p/2216884#M112333 Richard Atkin 2013-06-15T06:29:10Z https://community.cisco.com/t5/network-access-control/ise-active-directory-ldaps/m-p/2216885#M112395 <HTML><HEAD></HEAD><BODY><P>Kindly review the below link</P><P></P><P><A href="http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1049448" rel="nofollow">http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1049448</A></P></BODY></HTML> Fri, 28 Jun 2013 11:26:56 GMT https://community.cisco.com/t5/network-access-control/ise-active-directory-ldaps/m-p/2216885#M112395 manjeets 2013-06-28T11:26:56Z https://community.cisco.com/t5/network-access-control/ise-active-directory-ldaps/m-p/2216886#M112454 <HTML><HEAD></HEAD><BODY><P>Hi,<BR /><BR />The AD join operations allows you to run PEAP protocol and is much more resilient than using ldap because of the way it joins itself to the domain. It uses kerberos and rpc when performing user authentication.<BR /><BR />When using ldaps that is configuration based on when you add the ldap instance.<BR /><BR />Sent from Cisco Technical Support iPad App</P></BODY></HTML> Sat, 29 Jun 2013 06:42:29 GMT https://community.cisco.com/t5/network-access-control/ise-active-directory-ldaps/m-p/2216886#M112454 Tarik Admani 2013-06-29T06:42:29Z