Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3162
Views
5
Helpful
4
Replies

Is ISE is affected by "2020 LDAP channel binding and LDAP signing requirement for Windows

Go to solution
Marco Noviello
Level 4
Level 4

‎11-15-2019 02:21 AM

Hi all,

 

did someone know if ISE is affected by "2020 LDAP channel binding and LDAP signing requirement for Windows " https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

3 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-09-2019 08:18 AM

AFAIK it's not affecting ISE using AD as AD join points. If using it as LDAP sources, then just use LDAPS.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-09-2019 08:18 AM

AFAIK it's not affecting ISE using AD as AD join points. If using it as LDAP sources, then just use LDAPS.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to hslai

‎02-03-2020 07:25 AM - edited ‎02-03-2020 07:48 AM

I checked my lab by doing a Wireshark capture while testing a user logon. I am using single node deployment of ISE 2.6 patch 3 and my External Identity source is Active Directory. The AD server is Windows Server 2016. I captured from my DC filtering on traffic from the ISE server.

Even though user authentication appears to happen happen via MS-RPC on tcp/445, I also see an LDAP bind on tcp/389.

Note that the ISE Admin Guide specifies that LDAP (via tcp/389) is a required port for Active Directory (not talking about AD as an LDAP server) as an External Identity Source:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_01110.html#reference_94BE6ABB85BC47C8AEC29EF8D286E6E4

I found reference in some older versions of BRKSEC-3697 noting that CLDAP (AD/LDAP on udp/389) is used for AD Domain Controller selection. This was further explained in an old Voice of the Engineer presentation I have from 2014. It notes that the exchange is encrypted and authenticated with SASL (not LDAP/S).

Also, when we run the Active Directory Diagnostic Tool, five of the tests are for LDAP functions.

So...this all leads to doubt.

For now, I've subscribed to the ENH bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs67071/?rfs=iqvred, but would appreciate any additional information here as well.

Go to solution
paul
Level 10
Level 10
In response to Marvin Rhoads

‎03-09-2020 11:43 AM

Marvin,

 

Have you gotten any more information on this or the last month?  I haven't seen any other updates on this issue and of course many customers are sending questions in on it.

 

Thanks.

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to Marvin Rhoads

‎03-16-2020 12:48 PM

Hi,

 

     First of all, per Microsoft statements, the update gives new options, which are not enforced by default. Next, communication still uses LDAP, so port 389 is still gonna be used. The updates, just bring in some optional security features to LDAP (LDAP Channel Binding and LDAP Signing).

    So i guess this is more of a question to the BU, if current or future ISE AD Agent supports these features, and how will these be set. My belief is that it's not supported today, as otherwise there should have been some options available to configure it.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents