10-15-2017 08:17 AM
Hi Team,
My requirement is to integration cisco ISE with Window 2016 AD for Dot1x Authentication.
I have configured AD as external Device in ISE, while testing test user authentication I could get below error. I have Administrator user available in Active Directory..
-------------------------
Test Username | : Administrator |
ISE NODE | : ISE-MAIN.FactoryTest.com |
Scope | : Default_Scope |
Instance | : knpc |
Authentication Result : FAILED
Error | : No such user, please refer to Test user option to get further information |
Processing Steps:
19:44:48:964: Resolving identity - Administrator
19:44:48:964: Search for matching accounts at join point - wms-server
19:44:48:964: Skipping unjoined domain - wms-server
19:44:48:964: Identity resolution detected no matching account
19:44:48:964: Identity resolution failed - ERROR_NO_SUCH_USER
-----------------------
Current ISE Version
---------------
ISE-MAIN/cisco# show application version ise
Cisco Identity Services Engine
---------------------------------------------
Version : 2.2.0.470
---------------
Your help to understand issue would be appreciated.
10-15-2017 04:50 PM
wms-server looks like a server name but does not look like a proper join domain name. A proper domain name looks like DNS domains and is usually in the form of "<Secondary-Level-Domain>.<Top-Level-Domain>" (e.g. acme.com) or more levels (e.g. us.acme.com).
10-27-2017 08:35 AM
Thanks for your reply.
wms-server is a AD server name, my test domain name is FactoryTest.com. Where do i need to change this "wms-server" to FactoryTest.com?
10-27-2017 08:48 AM
Yes.
Attached is from our ISE training lab.
Joint Point Name: demoAD -- this can be anything as long as it unique in ISE system dictionaries and in supported character set.
Active Directory Domain: demo.local -- this is the AD domain name. In your case, it should be factorytest.com. Please ensure the DNS servers configured for ISE able to resolve all AD DNS records efficiently.
Domain Controller: ad.demo.local -- this is the DC that ISE connected to.
10-28-2017 01:48 AM
Yes I have tried with above suggestion however could get same result.
Please refer screenshot for your details understanding.
----
-----------
---------
ISE-SECONDARY/cisco# nslookup _ldap._tcp.dc._msdcs.factorytest.com querytype srv
Trying "_ldap._tcp.dc._msdcs.factorytest.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22693
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;_ldap._tcp.dc._msdcs.factorytest.com. IN SRV
;; ANSWER SECTION:
_ldap._tcp.dc._msdcs.factorytest.com. 600 IN SRV 0 100 389 WMS-SERVER.FactoryTest.com.
;; ADDITIONAL SECTION:
WMS-SERVER.FactoryTest.com. 3600 IN A 10.224.6.209
Received 116 bytes from 10.224.6.209#53 in 0 ms
------------------------------
Any Suggestion?
10-30-2017 09:43 AM
Are you getting errors while joining the ISE nodes to your AD domain? I am not seeing a screenshot on that.
As Charles said, the ISE nodes need joined to the AD domain before such tests to work.
10-16-2017 04:07 AM
You have to join the domain with ISE. Go back to where you added the AD Server, select that server and click the Join button. You will be prompted for credentials. These credentials need permission to join machines to the domain.
10-27-2017 08:37 AM
I've tried to join AD however could get below error.
=========================
Error Description: Failed to find domain controller, please check network connectivity
Support Details...
Error Name: LW_ERROR_FAILED_FIND_DC
Error Code: 40049
Detailed Log:
Error Description :
Failed to find domain controller in domain WMS-SERVER : There are no available DC`s
Error Resolution :
Please make sure that one of the DC`s is reachable and it`s not configured as RODC. For further information please refer to the AD diagnostic tools
Join steps :
20:07:22 Joining to domain WMS-SERVER using user administrator
20:07:22 Searching for DC in domain WMS-SERVER
20:07:28 Failed to find domain controller in domain WMS-SERVER : There are no available DC`s
==========================
11-03-2017 02:30 AM
Thanks all for your kind help.
Issue was with NTP, AD timezone and time was incorrect when i synchronized issue got resolved.
03-13-2019 01:26 AM
Docs say for ISE it's critical to have a time synchronised. What I did - set up NTP client on ISE, as well NTP client on Windows (good idea to use the same NTP source, as in my case) - and the service came up immediately.
Please don't forget to mark helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide