cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

126
Views
0
Helpful
4
Replies
Cisco Employee

ISE AD-Connector integration with LDAPs support

Dears,

 

AD-Connector is using listed below protocols between ISE-AD, all connections are secured and encrypted using SALS for LDAP, RPC is encrypted using AES or higher based on AD version

So Currently, Is LDAPs Supported on AD-Connector ? Is this feature on roadmap/plans for future? if, yes when it will be released ?

The other Workaround is to use LDAP-Connector but you have some limitation for this connector 

  • Cant use Certificate Smart Search Option
  • PEAP, EAP-FAST are not supported
  • Passive IDentity Connector is not supported
  •  restrictions on group memberships when Active Directory is configured as an LDAP store:
         - Users or computers must be direct members of the group defined in the policy conditions to match the policy rule.
         - The defined group may not be a user's or computer's primary group. This restriction is applicable only when AD is configured as an LDAP store
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE AD-Connector integration with LDAPs support

Dears,

I have Got Confirmation from BU that AD-Connector is supporting LDAPs.

 

Thanks All

4 REPLIES 4
VIP Engager

Re: ISE AD-Connector integration with LDAPs support

So as you already pointed out, secure ldap is supported today, and there is a built in schema out of the box for integrating with Active Directory.

 

But it is not supported on the AD connector, you can only set it up as an LDAP external identity store. If you want this functionality to be explored then you will have to submit an ISE ehancement request.

 

Now I'm not certain on the limitations you identified. I have used LDAP for PEAP, and eap-fast with eap chaining. 

Highlighted
Cisco Employee

Re: ISE AD-Connector integration with LDAPs support

Thanks Damien for your reply

  • What did you mean with " there is a built in schema out of the box for integrating with Active Directory" ? Do you mean LDAP-Connector ??
  • Did you used Mschapv2 as inner method for PEAP and EAP-FAST? or it was a certificate??

 

 

VIP Engager

Re: ISE AD-Connector integration with LDAPs support

Damien,

 

Please clarify your LDAP comment on PEAP because the admin guide and the GUI both make it very clear it is not supported.  I believe I have tried it as well and it doesn't work.  If you are doing PEAP with cert as inner method well that is a different story.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01110.html#concept_BD3A270FEC0C411DA10FB808C14B48D5

 

 

Cisco Employee

Re: ISE AD-Connector integration with LDAPs support

Dears,

I have Got Confirmation from BU that AD-Connector is supporting LDAPs.

 

Thanks All