https://community.cisco.com/t5/network-access-control/device-admin-for-gui-based-device-using-ldap/m-p/3916909#M442173 Hi Jason,<BR /><BR />Thanks,<BR /><BR />I have managed to resolve this issue by changing the subject name to cn.<BR /> Fri, 30 Aug 2019 18:14:23 GMT Madhuri Dewangan 2019-08-30T18:14:23Z https://community.cisco.com/t5/network-access-control/device-admin-for-gui-based-device-using-ldap/m-p/3914535#M442126 <P class="p1"><SPAN class="s1">Hello Expert,</SPAN></P> <P class="p1">&nbsp;</P> <P class="p1"><SPAN class="s1">My customer's requirement is , they want to use RADIUS protocol for Device Administration for the GUI Based Devices.&nbsp;</SPAN></P> <P class="p1"><SPAN class="s1">External Identity Source to be used for the same is LDAP server running in a Microsoft Server.&nbsp;</SPAN></P> <P class="p1"><SPAN class="s1">We have configured the Authc and Authz Policy for the same. Issue which we are facing here is when a user is logging into the GUI their authentication is failing, but on ISE RADIUS Live logs failed log is not seen. (No logs available for GUI Authentication Request)</SPAN></P> <P class="p1"><SPAN class="s1">We took packet capture for the same where we can seen device is sending "ACCESS-ACCEPT" to ISE node but node is sending back "ACCESS-REJECT".</SPAN></P> <P class="p1"><SPAN class="s1">Please note If we are using MS- Active Directory in AUthentication Rule same is working fine. But here the requirement is to use the LDAP server.</SPAN></P> <P class="p1"><SPAN class="s1">I have attached the pcap for the same.</SPAN></P> <P class="p1"><SPAN class="s1">Any pointer for the resolving this issue is really helpful!!!</SPAN></P> <P class="p1"><SPAN class="s1">&nbsp;</SPAN></P> <P class="p1"><SPAN class="s1">Thanks and Regards,</SPAN></P> Fri, 21 Feb 2020 19:09:08 GMT https://community.cisco.com/t5/network-access-control/device-admin-for-gui-based-device-using-ldap/m-p/3914535#M442126 Madhuri Dewangan 2020-02-21T19:09:08Z https://community.cisco.com/t5/network-access-control/device-admin-for-gui-based-device-using-ldap/m-p/3915002#M442145 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/123694">@Madhuri Dewangan</a>&nbsp;</P> <P>&nbsp;</P> <P>Sounds to me as if your LDAP integration is perhaps not working as expected.&nbsp; You would need to share some more details about how you integrated the LDAP, and the various tabs of the config that relate to that. I have set it up myself in the past and it's a fiddle job to get the parameters right (AD is plug and play, but with LDAP you have to be very prescriptive and exact).</P> <P>&nbsp;</P> <P><STRONG>Does the bind from ISE to LDAP success?</STRONG></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ldap1.PNG" style="width: 770px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/43910i296B451DA14B8F26/image-size/large?v=v2&amp;px=999" role="button" title="ldap1.PNG" alt="ldap1.PNG" /></span></P> <P>&nbsp;</P> <P>If your Subject Search Base and Group Search Base is setup correctly then you should be able to Retrieve Groups from Directory as a confirmation.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The wireshark doesn't tell us much - if you still have the pcap file, add an OR filter to include ldap - let's see what's going on there. And the ISE Live Logs must be showing the access-request at least, or else you have some suppression enabled that is blocking it.&nbsp; Disable it temporarily for testing</P> <P>Admin -&gt; System -&gt; Settings -&gt;Protocols -&gt; RADIUS&nbsp; &nbsp;and then uncheck the "Suppress repeated failed auths"</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 27 Aug 2019 21:45:02 GMT https://community.cisco.com/t5/network-access-control/device-admin-for-gui-based-device-using-ldap/m-p/3915002#M442145 Arne Bier 2019-08-27T21:45:02Z https://community.cisco.com/t5/network-access-control/device-admin-for-gui-based-device-using-ldap/m-p/3916635#M442159 <P>I would also recommend working through TAC for deep level troubleshooting and support</P> Fri, 30 Aug 2019 11:02:50 GMT https://community.cisco.com/t5/network-access-control/device-admin-for-gui-based-device-using-ldap/m-p/3916635#M442159 Jason Kunst 2019-08-30T11:02:50Z https://community.cisco.com/t5/network-access-control/device-admin-for-gui-based-device-using-ldap/m-p/3916909#M442173 Hi Jason,<BR /><BR />Thanks,<BR /><BR />I have managed to resolve this issue by changing the subject name to cn.<BR /> Fri, 30 Aug 2019 18:14:23 GMT https://community.cisco.com/t5/network-access-control/device-admin-for-gui-based-device-using-ldap/m-p/3916909#M442173 Madhuri Dewangan 2019-08-30T18:14:23Z