cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2934
Views
24
Helpful
14
Replies
Highlighted
Participant

ISE-AD Communication Problem

Dear Experts,

I am getting the below error in ISE while i am trying to authenticate.

"ISE has the communication problem with the active directory with its machine authentication" . In External Identity Sources, the ISE is connected to the AD group. What to be done..?

And also please tell me between ISE and AD, using which protocol or port number it communicates..?

Thanks in advance..

KVS

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hi Prasan,

that's correct. It only supports LDAP on port 389 ( clear text ) , this feature is planned to be supported but no works has done yet. Here is an enhancement request for your reference:

CSCsx72116  :  WLC: Add support for secure LDAP

Symptom:

WLC does not support LDAPS (Secure LDAP).

Conditions:

Connecting to Secure LDAP, usually with port 636.

Workaround:

Use Plain LDAP.

As of now, either you can continue to use plain LDAP (389) or put ACS/ISE in between for secure communication between them.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

14 REPLIES 14
Highlighted
Participant

Guyzz any suggestion ...

Highlighted
Participant


you better redirect you Q to security--- identity community:)


Sent from Cisco Technical Support iPad App

Highlighted

Thanks for your guidance ...

Highlighted
Cisco Employee

Hi Prasan,

Are you able to see ISE (hostname) as a computer object on the Active directory. Can you explain the steps, how did you integrate/ISE with AD. Also, for a quick test, if possible, can you delete the AD configuration from the ISE, make sure there is no computer object on the AD as ISE and Join again.

If there is a firewall  between Cisco ISE and Active Directory, certain ports need to be opened  to allow Cisco ISE to communicate with Active Directory. Ensure that the  following default ports are open:



Protocol

Port Number

LDAP


389 (UDP)


SMB


445 (TCP)


KDC


88 (TCP)


Global Catalog


3268 (TCP), 3289


KPASS


464 (TCP)


NTP


123 (UDP)


LDAP


389 (TCP)


LDAPS


636 (TCP)

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
Highlighted

for more informtaion about Integrating Cisco ISE with Active Directory Prerequisites, I'd suggest you go through the link mentioned below. This would specifically educate what all you need at the first place.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059011

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
Highlighted

Thanks jatin .. I will test it and get back here But I really wonder the same is communicating with AD when L2 security is configured on the controller ... Something looks strange ...

I see many ports to be opened in the firewall as the table you given but i think it uses only 389 TCP to communicate with AD.. is it correct ..?

Message was edited by: Prasan Venky

Highlighted

All these ports actually help ACS to join with AD. only port 3269 and 636 are required when we are using secure LDAP. You should have them open on the firewall to avoid any issues. Once they are joined ACS-AD communication majorly depends on port 389 and 3268.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
Highlighted

Hello

We finally integrated WLC with LDAP without the use of ISE. we tested with the 389 port. it was working and clients were authenticating.. but the same with 636 and 3269 port it is not working ...

We need to secure the LDAP transaction .. Any idea..?

Highlighted

Prasan,

In response to your question regarding the many ports in addition to 389 is that ISE uses these ports to join to Active Directory as a domain machine. It uses kerberos to perform authentication and it supports many authentication protocols that are not supported with your conventional ldap protocol i.e. peap-mschapv2.

If you need to connect to port 636 and 3269 you will need to have the root certificate from the ldap server and import that into the controller if it supported. You may need to post this question on the wireless forums if you are looking to integrate the WLC to the ldap server directly without ISE.

Thanks,

Tarik Admani
*Please rate helpful posts*

Highlighted

Thanks for your reply. I didn't bother about this root certificate from LDAP server. I will try to load in to the WLC and check.

Many thanks for your support.

Highlighted

Hi Prasan,

In case you stuck somewhere and need some reference, please take a look here

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
Highlighted

Dear Jatin & Tarik,

We finally found that LDAPS (636/3269) is not supported by the cisco controllers yet. Only LDAP with 389. Thats wireless part.

Anyways manythanks for the support provided from LDAP side.

KVS

Highlighted

Hi Prasan,

that's correct. It only supports LDAP on port 389 ( clear text ) , this feature is planned to be supported but no works has done yet. Here is an enhancement request for your reference:

CSCsx72116  :  WLC: Add support for secure LDAP

Symptom:

WLC does not support LDAPS (Secure LDAP).

Conditions:

Connecting to Secure LDAP, usually with port 636.

Workaround:

Use Plain LDAP.

As of now, either you can continue to use plain LDAP (389) or put ACS/ISE in between for secure communication between them.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

Highlighted

Thats very clear Thanks Jatin ....