Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1973
Views
215
Helpful
12
Replies

ISE and LDAP configuration

Go to solution
angelito_mas
Level 1
Level 1

‎02-25-2022 03:46 AM

Hello,

we have integrated a WLC with an ISE for a customer.
The customer has an AD configured with LDAP and Kerberos.
Our goal is to have a SSID dedicated to employees, but when the pc clients connect to the SSID they present themselves with MAC address instead of DN.

Is it possibile that the client comes up with DN? If yes, how can we do it?

1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎02-28-2022 01:31 AM

As @Marcus Hunold mentioned, you need to check what authentication protocol you configured. If you only see the MAC addresses instead of the actual usernames, or, the machine names (depends on your configuration) it would suggest that the endpoints are not doing dot1x, or maybe they are not matching the right policy on ISE. Essentially, the endpoints need to be configured with dot1x, and depends on your environment, you might be using EAP-TLS (auth with certs) or EAP-PEAP (auth with username and password). Then the WLC needs to be configured to point to ISE in terms of RADIUS authentication and accounting, there are other settings that need to be configured such as ISE NAC, but that depends on which WLC controller you are using. Finally, you need to configure ISE policy set to check against the machine or users certificates (depending on if you want to use the machines or users certificates for authentication), and that is done via the certificate authentication profile on ISE, you also need ISE to be configured to check against the AD the CN or DNS value parsed from the certificates. If you will be using EAP-PEAP, you just need to point ISE authentication policy rule to your AD, and then define the authorization policy with the access level you want to grant to the users/machines. If you still need support on this, please share your sanitized ISE configuration for review.

View solution in original post

12 Replies 12

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-25-2022 03:51 AM 

Our goal is to have a SSID dedicated to employees, but when the pc clients connect to the SSID they present themselves with MAC address instead of DN.

what is DN in your own terms, ? (may be i did not get what you looking ? ) - explain more to understand so we can suggest better

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
angelito_mas
Level 1
Level 1
In response to balaji.bandi

‎02-25-2022 03:59 AM

DN=Domain Name

 

The pc presents itself with the mac address as its username. We want that the device sends like its username the domain name stored in the Windows' AD database.

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to angelito_mas

‎02-25-2022 04:14 AM - edited ‎02-25-2022 09:03 AM

Not sure how your setup : suggest to look below user onboarding process on Wirelsss  (is this works for you ?)

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/119149-configure-ise-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
angelito_mas
Level 1
Level 1
In response to balaji.bandi

‎02-25-2022 07:18 AM

This is not what we are looking for, because in this way we bypass the ISE.

 

The clients connect to the WLC which is integrated with the ISE that must talk with AD via LDAP and Kerberos.

The clients do not autenticate because they come up with the mac address as its username.

Go to solution
Marcus Hunold
Level 1
Level 1

‎02-25-2022 07:21 AM

Which authentication protocol & method do you use?

Go to solution
angelito_mas
Level 1
Level 1
In response to Marcus Hunold

‎02-25-2022 07:50 AM

Hi Marcus,

I use LDAP with Kerberos

Go to solution
Marcus Hunold
Level 1
Level 1
In response to angelito_mas

‎02-25-2022 07:56 AM - edited ‎02-25-2022 08:00 AM

LDAP with kerberos is the external identity store only.

Authentication protocol and method directs to the ISE/WiFi/endpoint configuration.

An Example would be EAP-TLS where the WLC sends the EAP-TLS (method) encapsulated via RADIUS (protocol) to the ISE which then (if configured, no duty) checks the certificate or the account at the LDAP.

Go to solution
angelito_mas
Level 1
Level 1
In response to Marcus Hunold

‎02-25-2022 08:15 AM

The WLC sends the LEAP method via Radius to the ISE which checks the account on LDAP.

Go to solution
Marcus Hunold
Level 1
Level 1
In response to angelito_mas

‎02-25-2022 08:49 AM

LEAP....did not read since years...

What clients do you have that they still support leap?

Go to solution
Aref Alsouqi
VIP
VIP

‎02-28-2022 01:31 AM

As @Marcus Hunold mentioned, you need to check what authentication protocol you configured. If you only see the MAC addresses instead of the actual usernames, or, the machine names (depends on your configuration) it would suggest that the endpoints are not doing dot1x, or maybe they are not matching the right policy on ISE. Essentially, the endpoints need to be configured with dot1x, and depends on your environment, you might be using EAP-TLS (auth with certs) or EAP-PEAP (auth with username and password). Then the WLC needs to be configured to point to ISE in terms of RADIUS authentication and accounting, there are other settings that need to be configured such as ISE NAC, but that depends on which WLC controller you are using. Finally, you need to configure ISE policy set to check against the machine or users certificates (depending on if you want to use the machines or users certificates for authentication), and that is done via the certificate authentication profile on ISE, you also need ISE to be configured to check against the AD the CN or DNS value parsed from the certificates. If you will be using EAP-PEAP, you just need to point ISE authentication policy rule to your AD, and then define the authorization policy with the access level you want to grant to the users/machines. If you still need support on this, please share your sanitized ISE configuration for review.

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-06-2022 07:47 PM

It sounds like your endpoints are not properly configured to talk to ISE using 802.1X on your wireless controller.

You have not provided enough information about your SSID configuration to understand how you are authenticating them.

You have not provided any ISE authentication or authorization policy information to understand your policy. 

You have not provided any ISE LiveLogs details or errors to understand the results.

See How to Ask The Community for Help .

Watch ISE for the Zero Trust Workplace @ 20:50 ISE Demo to see if that helps you with ISE policy and authentication/authorization.

Customers Also Viewed These Support Documents