Hi Volker,
Yes, from what I can see you can enable secure LDAPS. Make sure on ISE you have valid certificates issued by the Internal PKI that the AD DC trusts.
- Create a new LDAP connection, specify the DC and port 636
- Specify the Admin DN - E.g "CN=SVCAcct,CN=Users,DC=LAB,DC=NET" and password
- Enable Secure Authentication
- Select the Trusted Root Certificate (LDAP Server Root CA)
- Add Subject/Group Search Base
- Import groups
I took a tcpdump and confirmed the traffic was sent via 636 and encrypted. When you import the groups, that is when you'll know the connection is working and verify it is encrypted.