你先装一个全新的ISE 1.1 试一下看看你能不能join到AD 去(一面以前的系统文件可能损坏) 。 如果不行你可以尝试一下ISE1.2 测试一下 。
请确保满足一下条件:
1 Use the Network Time Protocol (NTP) server settings to synchronize the time between the Cisco ISE server and Active Directory.
2 If you have a firewall between Cisco ISE and Active Directory, ensure that the following ports are open for communication between Cisco ISE and Active Directory.
LDAP 389 (UDP)
SMB12 445 (TCP)
KDC13 88 (TCP)
Global Catalog 3268 (TCP), 3269
KPASS 464 (TCP)
NTP 123 (UDP)
LDAP 389 (TCP)
LDAPS14 636 (TCP)
3 If Active Directory has a multidomain forest, ensure that trust relationships exist between the domain to which Cisco ISE is connected and the other domains that have user and machine information to which you need access. For more information on establishing trust relationships, refer to Microsoft Active Directory documentation .
4 All of the Cisco ISE nodes in the deployment need to be able to perform forward and reverse Domain Name Service (DNS) lookup to effectively interoperate with Active Directory. DNS servers that you configure in Cisco ISE using the ip name-server command should be able to accurately resolve the domain names in an Active Directory identity source. The DNS server that is part of an Active Directory deployment is usually configured in Cisco ISE. If you have to configure multiple DNS servers, you can use the application configure ise command to do so.
You must have at least one global catalog server operational in the domain to which you are joining Cisco ISE.
The Active Directory username that you provide when joining to an Active Directory domain should be predefined in Active Directory and must have one of the following permissions:
– Add the workstation to the domain to which you are trying to connect.
– On the computer where the Cisco ISE account was created, establish permissions for creating or deleting computer objects before joining Cisco ISE to the domain.
– Permissions for searching users and groups that are required for authentication.
