Solved: Re: ISE-AD Communication Problem

Prasan Venky · ‎07-18-2013

Dear Experts,

I am getting the below error in ISE while i am trying to authenticate.

"ISE has the communication problem with the active directory with its machine authentication" . In External Identity Sources, the ISE is connected to the AD group. What to be done..?

And also please tell me between ISE and AD, using which protocol or port number it communicates..?

Thanks in advance..

KVS

Jatin Katyal · ‎07-25-2013

Hi Prasan,

that's correct. It only supports LDAP on port 389 ( clear text ) , this feature is planned to be supported but no works has done yet. Here is an enhancement request for your reference:

CSCsx72116 : WLC: Add support for secure LDAP

Symptom:

WLC does not support LDAPS (Secure LDAP).

Conditions:

Connecting to Secure LDAP, usually with port 636.

Workaround:

Use Plain LDAP.

As of now, either you can continue to use plain LDAP (389) or put ACS/ISE in between for secure communication between them.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

Prasan Venky · ‎07-18-2013

Guyzz any suggestion ...

Shaoqin Li · ‎07-18-2013

you better redirect you Q to security--- identity community:)

Sent from Cisco Technical Support iPad App

Prasan Venky · ‎07-18-2013

Thanks for your guidance ...

Jatin Katyal · ‎07-18-2013

Hi Prasan,

Are you able to see ISE (hostname) as a computer object on the Active directory. Can you explain the steps, how did you integrate/ISE with AD. Also, for a quick test, if possible, can you delete the AD configuration from the ISE, make sure there is no computer object on the AD as ISE and Join again.

If there is a firewall between Cisco ISE and Active Directory, certain ports need to be opened to allow Cisco ISE to communicate with Active Directory. Ensure that the following default ports are open:


Protocol	Port Number
LDAP	389 (UDP)
SMB	445 (TCP)
KDC	88 (TCP)
Global Catalog	3268 (TCP), 3289
KPASS	464 (TCP)
NTP	123 (UDP)
LDAP	389 (TCP)
LDAPS	636 (TCP)

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Jatin Katyal · ‎07-18-2013

for more informtaion about Integrating Cisco ISE with Active Directory Prerequisites, I'd suggest you go through the link mentioned below. This would specifically educate what all you need at the first place.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059011

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Prasan Venky · ‎07-19-2013

Thanks jatin .. I will test it and get back here But I really wonder the same is communicating with AD when L2 security is configured on the controller ... Something looks strange ...

I see many ports to be opened in the firewall as the table you given but i think it uses only 389 TCP to communicate with AD.. is it correct ..?

Message was edited by: Prasan Venky

Jatin Katyal · ‎07-19-2013

All these ports actually help ACS to join with AD. only port 3269 and 636 are required when we are using secure LDAP. You should have them open on the firewall to avoid any issues. Once they are joined ACS-AD communication majorly depends on port 389 and 3268.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Prasan Venky · ‎07-21-2013

Hello

We finally integrated WLC with LDAP without the use of ISE. we tested with the 389 port. it was working and clients were authenticating.. but the same with 636 and 3269 port it is not working ...

We need to secure the LDAP transaction .. Any idea..?

Tarik Admani · ‎07-22-2013

Prasan,

In response to your question regarding the many ports in addition to 389 is that ISE uses these ports to join to Active Directory as a domain machine. It uses kerberos to perform authentication and it supports many authentication protocols that are not supported with your conventional ldap protocol i.e. peap-mschapv2.

If you need to connect to port 636 and 3269 you will need to have the root certificate from the ldap server and import that into the controller if it supported. You may need to post this question on the wireless forums if you are looking to integrate the WLC to the ldap server directly without ISE.

Thanks,

Tarik Admani
*Please rate helpful posts*

Prasan Venky · ‎07-23-2013

Thanks for your reply. I didn't bother about this root certificate from LDAP server. I will try to load in to the WLC and check.

Many thanks for your support.

Jatin Katyal · ‎07-23-2013

Hi Prasan,

In case you stuck somewhere and need some reference, please take a look here

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Prasan Venky · ‎07-24-2013

Dear Jatin & Tarik,

We finally found that LDAPS (636/3269) is not supported by the cisco controllers yet. Only LDAP with 389. Thats wireless part.

Anyways manythanks for the support provided from LDAP side.

KVS

Jatin Katyal · ‎07-25-2013

Hi Prasan,

that's correct. It only supports LDAP on port 389 ( clear text ) , this feature is planned to be supported but no works has done yet. Here is an enhancement request for your reference:

CSCsx72116 : WLC: Add support for secure LDAP

Symptom:

WLC does not support LDAPS (Secure LDAP).

Conditions:

Connecting to Secure LDAP, usually with port 636.

Workaround:

Use Plain LDAP.

As of now, either you can continue to use plain LDAP (389) or put ACS/ISE in between for secure communication between them.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Prasan Venky · ‎07-25-2013

Thats very clear Thanks Jatin ....