07-18-2013 01:29 AM - edited 03-10-2019 08:39 PM
Dear Experts,
I am getting the below error in ISE while i am trying to authenticate.
"ISE has the communication problem with the active directory with its machine authentication" . In External Identity Sources, the ISE is connected to the AD group. What to be done..?
And also please tell me between ISE and AD, using which protocol or port number it communicates..?
Thanks in advance..
KVS
Solved! Go to Solution.
07-25-2013 01:51 AM
Hi Prasan,
that's correct. It only supports LDAP on port 389 ( clear text ) , this feature is planned to be supported but no works has done yet. Here is an enhancement request for your reference:
CSCsx72116 : WLC: Add support for secure LDAP
Symptom:
WLC does not support LDAPS (Secure LDAP).
Conditions:
Connecting to Secure LDAP, usually with port 636.
Workaround:
Use Plain LDAP.
As of now, either you can continue to use plain LDAP (389) or put ACS/ISE in between for secure communication between them.
~BR
Jatin Katyal
**Do rate helpful posts**
07-18-2013 06:00 AM
Guyzz any suggestion ...
07-18-2013 08:34 AM
you better redirect you Q to security--- identity community:)
Sent from Cisco Technical Support iPad App
07-18-2013 09:36 AM
Thanks for your guidance ...
07-18-2013 01:51 PM
Hi Prasan,
Are you able to see ISE (hostname) as a computer object on the Active directory. Can you explain the steps, how did you integrate/ISE with AD. Also, for a quick test, if possible, can you delete the AD configuration from the ISE, make sure there is no computer object on the AD as ISE and Join again.
If there is a firewall between Cisco ISE and Active Directory, certain ports need to be opened to allow Cisco ISE to communicate with Active Directory. Ensure that the following default ports are open:
Protocol | Port Number |
---|---|
LDAP | 389 (UDP) |
SMB | 445 (TCP) |
KDC | 88 (TCP) |
Global Catalog | 3268 (TCP), 3289 |
KPASS | 464 (TCP) |
NTP | 123 (UDP) |
LDAP | 389 (TCP) |
LDAPS | 636 (TCP) |
~BR
Jatin Katyal
**Do rate helpful posts**
07-18-2013 02:02 PM
for more informtaion about Integrating Cisco ISE with Active Directory Prerequisites, I'd suggest you go through the link mentioned below. This would specifically educate what all you need at the first place.
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059011
~BR
Jatin Katyal
**Do rate helpful posts**
07-19-2013 12:44 AM
Thanks jatin .. I will test it and get back here But I really wonder the same is communicating with AD when L2 security is configured on the controller ... Something looks strange ...
I see many ports to be opened in the firewall as the table you given but i think it uses only 389 TCP to communicate with AD.. is it correct ..?
Message was edited by: Prasan Venky
07-19-2013 05:12 AM
All these ports actually help ACS to join with AD. only port 3269 and 636 are required when we are using secure LDAP. You should have them open on the firewall to avoid any issues. Once they are joined ACS-AD communication majorly depends on port 389 and 3268.
~BR
Jatin Katyal
**Do rate helpful posts**
07-21-2013 06:20 AM
Hello
We finally integrated WLC with LDAP without the use of ISE. we tested with the 389 port. it was working and clients were authenticating.. but the same with 636 and 3269 port it is not working ...
We need to secure the LDAP transaction .. Any idea..?
07-22-2013 11:20 PM
Prasan,
In response to your question regarding the many ports in addition to 389 is that ISE uses these ports to join to Active Directory as a domain machine. It uses kerberos to perform authentication and it supports many authentication protocols that are not supported with your conventional ldap protocol i.e. peap-mschapv2.
If you need to connect to port 636 and 3269 you will need to have the root certificate from the ldap server and import that into the controller if it supported. You may need to post this question on the wireless forums if you are looking to integrate the WLC to the ldap server directly without ISE.
Thanks,
Tarik Admani
*Please rate helpful posts*
07-23-2013 04:00 AM
Thanks for your reply. I didn't bother about this root certificate from LDAP server. I will try to load in to the WLC and check.
Many thanks for your support.
07-23-2013 05:38 AM
Hi Prasan,
In case you stuck somewhere and need some reference, please take a look here
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
~BR
Jatin Katyal
**Do rate helpful posts**
07-24-2013 01:18 AM
Dear Jatin & Tarik,
We finally found that LDAPS (636/3269) is not supported by the cisco controllers yet. Only LDAP with 389. Thats wireless part.
Anyways manythanks for the support provided from LDAP side.
KVS
07-25-2013 01:51 AM
Hi Prasan,
that's correct. It only supports LDAP on port 389 ( clear text ) , this feature is planned to be supported but no works has done yet. Here is an enhancement request for your reference:
CSCsx72116 : WLC: Add support for secure LDAP
Symptom:
WLC does not support LDAPS (Secure LDAP).
Conditions:
Connecting to Secure LDAP, usually with port 636.
Workaround:
Use Plain LDAP.
As of now, either you can continue to use plain LDAP (389) or put ACS/ISE in between for secure communication between them.
~BR
Jatin Katyal
**Do rate helpful posts**
07-25-2013 04:13 AM
Thats very clear Thanks Jatin ....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide