cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
994
Views
8
Helpful
6
Replies

Cisco ISE doesn`t send packets to AD

ToX1c1986
Level 1
Level 1

Hello!

I`ve tried to configure authentication through AD. Intergation Cisco ISE with AD is successful and I can retrive all groups from AD. I`ve configured dot1X authentication (Policy>Authentication) to use at first AD, then Internal Users.I`ve configured the rule for one group in authorization policy (Policy>Authorization), I`ve added this group from AD (Administration> Identty Management> External Identity Sources> Active Directory> Groups).

When the user tries to connect to LAN and enters credentials from AD, Cisco ISE always uses only Internal Identity Source and doesn`t try to seach user in AD.  I don`t see any packets to AD in Operations>Authentication and TCP Dump, Cisco ISE only checks Internal Identity Source.

Does anybody know how to solve this problem?

Thank you!

6 Replies 6

Philip James
Cisco Employee
Cisco Employee

May want to check your "Identity Source Sequences". Adminitration>Identity Management>Identity Source Sequences. Make sure you have the Active Directory Identity source in the selected column.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

HTH, a bit.

Philip, thanks for reply!

Yes I have.

No AD in Identity Stores on main dashboard.

Problem was in wrong configuration Authentication.

Now I have the folowing problem, ISE can`t authenticate wired guest user through Central Web Access.

Guest Portal sends message about succeful authentication and after that redirect again in Guest Portal.

I have two rules in Policy>Authorization (attach: Auth).

In Operations>Authentication I see folowing (attach: Guest)

In defaultguestportal I have "Both" authentication and sequence from 3 Identity Stores (Intetnal Users, Internal Endpoint, AD)

The problem is with multidomain forests. I have one domain MSK and several subdomain (forests) OFFICE and SECURE.  Full trust relationships are established between all domains.

Cisco ISE connects to domain OFFICE. Authentication of all users from domains OFFICE and SECURE are fine. Problem appears when I try to authenticate users from domain SECURE which are in the domain OFFICE group and vice versa.

Does anybody know how to solve this problem?

Thank you!

Can you verify which trust is enabled for your domains, there is a  limitiation as to which type of trusts allow which protocols for  authentication.

https://supportforums.cisco.com/thread/2191502

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik, Hello! Nice to see you again! Thank you for reply.

Between domains OFFICE and SECURE:

Trust type   - Shortcut

Transitivity  - Transitive

Direction    - Two-way

Should authentication works or not?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: