ISE 2.1 AD Connector Port 389 TCP

Volker Fries · ‎02-02-2018

Hi togehter,

we have an ISE installation with integration to an AD (join) as external identtity store.

When we sniffer the connection from ISE to the DC we can see that there is Port 389 for ldap in use.

The customer wants to remove all unsecure protocols in his network.

Is there a psossibiltiy to use the port 636 (ldaps) instead of 389 ?

We didnt find a way to configure ldaps in the AD connection menu in the external identity store section. (Not in ldap connection menue !!!)

Rob Ingram · ‎02-02-2018

Hi Volker,

Yes, from what I can see you can enable secure LDAPS. Make sure on ISE you have valid certificates issued by the Internal PKI that the AD DC trusts.

- Create a new LDAP connection, specify the DC and port 636

- Specify the Admin DN - E.g "CN=SVCAcct,CN=Users,DC=LAB,DC=NET" and password

- Enable Secure Authentication

- Select the Trusted Root Certificate (LDAP Server Root CA)

- Add Subject/Group Search Base

- Import groups

I took a tcpdump and confirmed the traffic was sent via 636 and encrypted. When you import the groups, that is when you'll know the connection is working and verify it is encrypted.