topic Re: ISE 2.6 and Microsoft AD integration using LDAP-S in Network Access Control

ISE 2.6 and Microsoft AD integration using LDAP-S

Ping Zhou — Wed, 03 Jun 2020 20:17:52 GMT

Hi Experts,

Under the configuration on ISE for Active Directory integration, Administration > Identity Management > External Identity Sources > Active Directory, I don't see the options to use "LDAP Secure" ( such as port 636). I assumed, with 2.6, ISE does support LDAPS for Microsoft AD, but can't find any configuration guide. Can anyone share some docs that cover how to setup ISE with LDAPS for Microsoft AD?, what's the certificate requirement? Any limitation on Authentication and Authorization? etc.

Thanks in advance.

Re: ISE 2.6 and Microsoft AD integration using LDAP-S

poongarg — Thu, 04 Jun 2020 07:57:56 GMT

AFAIK, the communication ports are fixed. We cannot change AD connector communication from LDAP 389 port to LDAPS 636 Port. Though it is LDAP, but all the attributes are encrypted.

If you need LDAPS, configure a new external LDAP identity store on ISE and there you can use LDAPS port.

Re: ISE 2.6 and Microsoft AD integration using LDAP-S

Ping Zhou — Thu, 04 Jun 2020 14:51:18 GMT

Thanks. Is it Cisco recommended way of integrating with Microsoft AD using LDAP-S? I'm also looking for Cisco configuration guide if there is any...to understand what would be the impact to ISE on Certificate Mgmt, AuthC and AuthZ, as well as RSA SecureID (2FA).

Re: ISE 2.6 and Microsoft AD integration using LDAP-S

Anurag Sharma — Fri, 05 Jun 2020 14:01:33 GMT

Hi @Ping Zhou ,

You need to choose Schema as 'Active Directory'. Then configure it like in the picture below.

Make sure LDAP and ISE trust each other's certificate's CA certificates.

Re: ISE 2.6 and Microsoft AD integration using LDAP-S

Ping Zhou — Fri, 05 Jun 2020 14:34:53 GMT

Much appreciated for the info. Do yon know if there is any Cisco docs for this? The Cisco doc here (https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html) doesn't mention any LDAP-S. Before I put this into production, I have to understand its behaviors and limitations as I mentioned above (if there is any). I plan to lab it out with the AD team, but also want to have some Cisco official recommendation, tech notes or something.

Thanks again for sharing your config screenshot.

,

Re: ISE 2.6 and Microsoft AD integration using LDAP-S

Anurag Sharma — Fri, 05 Jun 2020 14:41:03 GMT

We are working on updating a public Doc on Integration with Secure LDAP server. At this point, I'd urge you to do extensive lab testing before rolling-out in production.

Re: ISE 2.6 and Microsoft AD integration using LDAP-S

Michael Kiessling — Mon, 26 Oct 2020 13:24:34 GMT

Hi,

do you have any updates regarding the public docs you mentioned?

Many thanks.

Re: ISE 2.6 and Microsoft AD integration using LDAP-S

Kacey Wilson — Thu, 25 Feb 2021 18:37:51 GMT

Just wondering if there is an update on this yet?

Thanks.

Re: ISE 2.6 and Microsoft AD integration using LDAP-S

Marcelo Morais — Thu, 25 Feb 2021 19:11:52 GMT

Hi @Kacey Wilson ,

it looks like that the answer is no ... please take a look at: ISE Installation Guide 3.0 - Node Ports., search for External Identity Sources and Resources (Outbound).

Hope this helps !!!

Re: ISE 2.6 and Microsoft AD integration using LDAP-S

axeleratorcisco — Fri, 23 Sep 2022 08:12:28 GMT

Is there any update on this?

If you use the standard way of joining the AD via Administration > Identity Management > External Identity Sources > Active Directory, are you still only able to use port 389?

I am reading the Implementing and Configuring Cisco Identity Services Engine (SISE), and it says the way which is suggested above by configuring it via an LDAP external Identity Source has limitations:

Active Directory and LDAP Comparison

Active Directory
1. Rich attribute set
2. Direct tie between ISE and AD
3. Fast performance
4. ISE can join multiple directories
5. Search up or down the tree
Active Directory accessed as LDAP server
1. ISE can join multiple directories
2. Slower performance
3. Fewer attributes
4. Search down the tree only

You can access the Active Directory database either as Active Directory or as an LDAP server. Both methods have their pros and cons:

When you connect to Active Directory via the Active Directory method, you gain advantages due to the direct tie between the Cisco ISE and Active Directory—an extensive attribute range, good performance, and the ability to search up or down the tree. Starting from version 1.3, Cisco ISE can join multiple directories.
When you connect to Active Directory as an LDAP server, you can join multiple directories. However, this method slows performance, offers fewer attributes, and supports only searching down the tree.

Why is it not possible to join the domain via LDAPs via Administration > Identity Management > External Identity Sources > Active Directory?