Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3257
Views
10
Helpful
6
Replies

ISE 2.4 patch 11 Secure ldap problem

Go to solution
Moudar
VIP
VIP

‎04-29-2020 04:13 AM

Trying to start using Secure LDAP but the problem is that when we test bind to server we get this massage:"ldap bind ended with an error

 

ise error.PNG

 

any ideas!?

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-29-2020 10:36 AM

I don't have a guide for this, but ensure that your are using the correct CA cert selections in the connection tab of the LDAP connector. Both sides need to trust each other.

There is also a section in the 2.6 admin guide that indicates what settings need to be enabled for certain ISE features to function. Look under the section titled "Configure Security Settings" which directs you to Administration > System > Settings > Security Settings in the GUI.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_010010.html

Someone else had suggested that you could enable debugs for prrt-JNI, AAA-runtime, AAA-config, then check the prrt-server.log file for more information on the errors.

Lastly, there is this terminated bug which indicates that ISE might not support mutual cert secure ldap authentication. I'm not sure if it still applies or not.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj82754

View solution in original post

6 Replies 6

Go to solution
Moudar
VIP
VIP

‎04-29-2020 04:51 AM

Is there any use guide with troubleshooting that we can use to implement secure ldap on ISE 2.4!

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Moudar

‎05-01-2020 10:10 PM

Damien Miller already gave some info on troubleshooting.

In case you are using the LDAPS from Google G-Suite or the like, that is not currently supported. Also, the LDAPS in ISE supports for encryption only but not for mutual authentication. The root CA of the LDAP server needs imported into ISE trusted certificates and trusted for client authentications.

Go to solution
giovanni.augusto
Level 1
Level 1
In response to hslai

‎01-14-2021 02:47 AM

Thanks @hslai 

 

Is this still the case with newer ISE version?

 

I will probably ask a feature request to our Cisco representative but can you suggest if there is a specific internal reference for this feature?

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-29-2020 10:36 AM

I don't have a guide for this, but ensure that your are using the correct CA cert selections in the connection tab of the LDAP connector. Both sides need to trust each other.

There is also a section in the 2.6 admin guide that indicates what settings need to be enabled for certain ISE features to function. Look under the section titled "Configure Security Settings" which directs you to Administration > System > Settings > Security Settings in the GUI.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_010010.html

Someone else had suggested that you could enable debugs for prrt-JNI, AAA-runtime, AAA-config, then check the prrt-server.log file for more information on the errors.

Lastly, there is this terminated bug which indicates that ISE might not support mutual cert secure ldap authentication. I'm not sure if it still applies or not.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj82754

Go to solution
Moudar
VIP
VIP
In response to Damien Miller

‎04-30-2020 02:23 AM

is there any way to make sure that there is a trust between the two, what we know is that there is a trust but how to make sure?

0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to Moudar

‎05-04-2020 03:43 AM

Take a packet capture on ISE with the filer " ip host <ip address of LDAP server> and check if the handshake between the two is completing or not.

0 Helpful
Customers Also Viewed These Support Documents