
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-15-2019 02:21 AM
Hi all,
did someone know if ISE is affected by "2020 LDAP channel binding and LDAP signing requirement for Windows " https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2019 08:18 AM
AFAIK it's not affecting ISE using AD as AD join points. If using it as LDAP sources, then just use LDAPS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2019 08:18 AM
AFAIK it's not affecting ISE using AD as AD join points. If using it as LDAP sources, then just use LDAPS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2020 07:25 AM - edited 02-03-2020 07:48 AM
I checked my lab by doing a Wireshark capture while testing a user logon. I am using single node deployment of ISE 2.6 patch 3 and my External Identity source is Active Directory. The AD server is Windows Server 2016. I captured from my DC filtering on traffic from the ISE server.
Even though user authentication appears to happen happen via MS-RPC on tcp/445, I also see an LDAP bind on tcp/389.
Note that the ISE Admin Guide specifies that LDAP (via tcp/389) is a required port for Active Directory (not talking about AD as an LDAP server) as an External Identity Source:
I found reference in some older versions of BRKSEC-3697 noting that CLDAP (AD/LDAP on udp/389) is used for AD Domain Controller selection. This was further explained in an old Voice of the Engineer presentation I have from 2014. It notes that the exchange is encrypted and authenticated with SASL (not LDAP/S).
Also, when we run the Active Directory Diagnostic Tool, five of the tests are for LDAP functions.
So...this all leads to doubt.
For now, I've subscribed to the ENH bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs67071/?rfs=iqvred, but would appreciate any additional information here as well.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2020 11:43 AM
Marvin,
Have you gotten any more information on this or the last month? I haven't seen any other updates on this issue and of course many customers are sending questions in on it.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-16-2020 12:48 PM
Hi,
First of all, per Microsoft statements, the update gives new options, which are not enforced by default. Next, communication still uses LDAP, so port 389 is still gonna be used. The updates, just bring in some optional security features to LDAP (LDAP Channel Binding and LDAP Signing).
So i guess this is more of a question to the BU, if current or future ISE AD Agent supports these features, and how will these be set. My belief is that it's not supported today, as otherwise there should have been some options available to configure it.
Regards,
Cristian Matei.
