Cisco ISE (2.2.0.470) & AD (Window 2016 STD R2) Integration Issue

vishal agavane · ‎10-15-2017

Hi Team,

My requirement is to integration cisco ISE with Window 2016 AD for Dot1x Authentication.

I have configured AD as external Device in ISE, while testing test user authentication I could get below error. I have Administrator user available in Active Directory..

-------------------------

Test Username	: Administrator
ISE NODE	: ISE-MAIN.FactoryTest.com
Scope	: Default_Scope
Instance	: knpc

Authentication Result : FAILED

Error

: No such user, please refer to Test user option to get further information

Processing Steps:

19:44:48:964: Resolving identity - Administrator

19:44:48:964: Search for matching accounts at join point - wms-server

19:44:48:964: Skipping unjoined domain - wms-server

19:44:48:964: Identity resolution detected no matching account

19:44:48:964: Identity resolution failed - ERROR_NO_SUCH_USER

-----------------------

Current ISE Version

---------------

ISE-MAIN/cisco# show application version ise

Cisco Identity Services Engine

---------------------------------------------

Version : 2.2.0.470

---------------

Your help to understand issue would be appreciated.

hslai · ‎10-15-2017

wms-server looks like a server name but does not look like a proper join domain name. A proper domain name looks like DNS domains and is usually in the form of "<Secondary-Level-Domain>.<Top-Level-Domain>" (e.g. acme.com) or more levels (e.g. us.acme.com).

vishal agavane · ‎10-27-2017

Thanks for your reply.

wms-server is a AD server name, my test domain name is FactoryTest.com. Where do i need to change this "wms-server" to FactoryTest.com?

hslai · ‎10-27-2017

Yes.

Attached is from our ISE training lab.

Joint Point Name: demoAD -- this can be anything as long as it unique in ISE system dictionaries and in supported character set.

Active Directory Domain: demo.local -- this is the AD domain name. In your case, it should be factorytest.com. Please ensure the DNS servers configured for ISE able to resolve all AD DNS records efficiently.

Domain Controller: ad.demo.local -- this is the DC that ISE connected to.

vishal agavane · ‎10-28-2017

Yes I have tried with above suggestion however could get same result.

Please refer screenshot for your details understanding.

----

-----------

---------

ISE-SECONDARY/cisco# nslookup _ldap._tcp.dc._msdcs.factorytest.com querytype srv

Trying "_ldap._tcp.dc._msdcs.factorytest.com"

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22693

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:

;_ldap._tcp.dc._msdcs.factorytest.com. IN SRV

;; ANSWER SECTION:

_ldap._tcp.dc._msdcs.factorytest.com. 600 IN SRV 0 100 389 WMS-SERVER.FactoryTest.com.

;; ADDITIONAL SECTION:

WMS-SERVER.FactoryTest.com. 3600 IN A 10.224.6.209

Received 116 bytes from 10.224.6.209#53 in 0 ms

------------------------------

Any Suggestion?

hslai · ‎10-30-2017

Are you getting errors while joining the ISE nodes to your AD domain? I am not seeing a screenshot on that.

As Charles said, the ISE nodes need joined to the AD domain before such tests to work.

Charlie Moreton · ‎10-16-2017

You have to join the domain with ISE. Go back to where you added the AD Server, select that server and click the Join button. You will be prompted for credentials. These credentials need permission to join machines to the domain.

vishal agavane · ‎10-27-2017

I've tried to join AD however could get below error.

=========================

Error Description: Failed to find domain controller, please check network connectivity

Support Details...

Error Name: LW_ERROR_FAILED_FIND_DC

Error Code: 40049

Detailed Log:

Error Description :

Failed to find domain controller in domain WMS-SERVER : There are no available DC`s

Error Resolution :

Please make sure that one of the DC`s is reachable and it`s not configured as RODC. For further information please refer to the AD diagnostic tools

Join steps :

20:07:22 Joining to domain WMS-SERVER using user administrator

20:07:22 Searching for DC in domain WMS-SERVER

20:07:28 Failed to find domain controller in domain WMS-SERVER : There are no available DC`s

==========================

vishal agavane · ‎11-03-2017

Thanks all for your kind help.

Issue was with NTP, AD timezone and time was incorrect when i synchronized issue got resolved.

oatroshc · ‎03-13-2019

Docs say for ISE it's critical to have a time synchronised. What I did - set up NTP client on ISE, as well NTP client on Windows (good idea to use the same NTP source, as in my case) - and the service came up immediately.
Please don't forget to mark helpful posts.