cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7157
Views
30
Helpful
9
Replies

ISE 2.6 and Microsoft AD integration using LDAP-S

Ping Zhou
Level 8
Level 8

Hi Experts,

 

Under the configuration on ISE for Active Directory integration, Administration > Identity Management > External Identity Sources > Active Directory, I don't see the options to use "LDAP Secure" ( such as port 636). I assumed, with 2.6, ISE does support LDAPS for Microsoft AD, but can't find any configuration guide. Can anyone share some docs that cover how to setup ISE with LDAPS for Microsoft AD?, what's the certificate requirement? Any limitation on Authentication and Authorization? etc.

 

Thanks in advance.

1 Accepted Solution

Accepted Solutions

We are working on updating a public Doc on Integration with Secure LDAP server. At this point, I'd urge you to do extensive lab testing before rolling-out in production.
Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

9 Replies 9

poongarg
Cisco Employee
Cisco Employee

AFAIK, the communication ports are fixed. We cannot change AD connector communication from LDAP 389 port to LDAPS 636 Port. Though it is LDAP, but all the attributes are encrypted.

If you need LDAPS, configure a new external LDAP identity store on ISE and there you can use LDAPS port.

Thanks. Is it Cisco recommended way of integrating with Microsoft AD using LDAP-S? I'm also looking for Cisco configuration guide if there is any...to understand what would be the impact to ISE on Certificate Mgmt, AuthC and AuthZ, as well as RSA SecureID (2FA).

Anurag Sharma
Cisco Employee
Cisco Employee

Hi @Ping Zhou ,

You need to choose Schema as 'Active Directory'. Then configure it like in the picture below.

Make sure LDAP and ISE trust each other's certificate's CA certificates.

Screenshot 2020-06-05 at 7.29.25 PM.png

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Much appreciated for the info. Do yon know if there is any Cisco docs for this? The Cisco doc here (https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html) doesn't mention any LDAP-S. Before I put this into production, I have to understand its behaviors and limitations as I mentioned above (if there is any). I plan to lab it out with the AD team, but also want to have some Cisco official recommendation, tech notes or something.

Thanks again for sharing your config screenshot.



,

We are working on updating a public Doc on Integration with Secure LDAP server. At this point, I'd urge you to do extensive lab testing before rolling-out in production.
Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Hi,

 

do you have any updates regarding the public docs you mentioned?

 

Many thanks.

Just wondering if there is an update on this yet? 

 

 

Thanks.

Hi @Kacey Wilson ,

 it looks like that the answer is no ... please take a look at: ISE Installation Guide 3.0 - Node Ports., search for External Identity Sources and Resources (Outbound).

 

Hope this helps !!!

Is there any update on this?

If you use the standard way of joining the AD via Administration > Identity Management > External Identity Sources > Active Directory, are you still only able to use port 389?

I am reading the Implementing and Configuring Cisco Identity Services Engine (SISE), and it says the way which is suggested above by configuring it via an LDAP external Identity Source has limitations:

Active Directory and LDAP Comparison

  • Active Directory

    1. Rich attribute set

    2. Direct tie between ISE and AD

    3. Fast performance

    4. ISE can join multiple directories

    5. Search up or down the tree

  • Active Directory accessed as LDAP server

    1. ISE can join multiple directories

    2. Slower performance

    3. Fewer attributes

    4. Search down the tree only

You can access the Active Directory database either as Active Directory or as an LDAP server. Both methods have their pros and cons:

  • When you connect to Active Directory via the Active Directory method, you gain advantages due to the direct tie between the Cisco ISE and Active Directory—an extensive attribute range, good performance, and the ability to search up or down the tree. Starting from version 1.3, Cisco ISE can join multiple directories.

  • When you connect to Active Directory as an LDAP server, you can join multiple directories. However, this method slows performance, offers fewer attributes, and supports only searching down the tree.

 

Why is it not possible to join the domain via LDAPs via Administration > Identity Management > External Identity Sources > Active Directory?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: