ISE LDAP Password Change

bret · ‎04-10-2014

I recently changed my LDAP password to trouble shoot a TAC case I have open. After changing the LDAP password a test bind to server works, but when I try to retrieve attributes I get an error “could not read user attribute data: invalid admin credentials or security settings” and after three tries the AD account gets locked out. Before changing the password I had no issues retrieving attributes. Is there something else that needs to be done after changing an External Identity Source password?

Thanks In Advance!

cciesec2011 · ‎04-10-2014

What version of ISE are you running? In ISE version 1.2 up to to patch-6, there is an issue with retrieving AD groups:

CSCul84544

Retrieval of Active Directory Groups or Attributes from GUI is Failing

This fix addresses an issue where the user was unable to fetch Groups and/or attributes from Active Directory on the ISE GUI.

The fix is to upgrade to patch-7

bret · ‎04-10-2014

I am running v 1.2.8 and am using LDAP. The issue is when using LDAP and attributes are retrieved from some users, some user retrieval fails and some work.

Still curious on the password change though. I think its odd that before the password change on my LDAP service account I was able to retrieve attributes, but now i get that error and the AD account locks out.

Thanks for you info.

cciesec2011 · ‎04-10-2014

"I am running v 1.2.8 and am using LDAP"

How is that even possible that you're running 1.2.8? currently release is 1.2.0.899:

Version information of installed applications
---------------------------------------------

Cisco Identity Services Engine
---------------------------------------------
Version : 1.2.0.899
Build Date : Wed Jul 24 07:37:31 2013
Install Date : Fri Feb 21 22:50:57 2014

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 5
Install Date : Sat Feb 22 00:59:41 2014

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 6
Install Date : Tue Mar 04 15:07:53 2014

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 7
Install Date : Sat Apr 05 11:46:30 2014

What patch level are you running? If you're running pre-patch 7, there is a bug with retrieving AD groups.

bret · ‎04-10-2014

I am running 1.2.0.899.

cciesec2011 · ‎04-10-2014

what is the patch level? can you share the output of the "show version" command?

If it is less than 7, it is likely that you will have issues.

bret · ‎04-11-2014

I fixed my issue. Apparently, when using LDAP or AD the password cannot be to complex. I created a les complex password and the issue was resolved. Hopefully this helps other folks in the future.

Version information of installed applications
---------------------------------------------

Root Patch VERSION INFORMATION
-----------------------------------
Version : 1.0.0 Vendor: Cisco Systems, Inc.
Build Date : February 06 2009 12:44PST

Cisco Identity Services Engine
---------------------------------------------
Version      : 1.2.0.899
Build Date   : Wed Jul 24 03:37:31 2013
Install Date : Fri Feb 7 02:59:40 2014

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 7
Install Date : Fri Mar 28 10:32:25 2014