Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
954
Views
0
Helpful
2
Replies

ISE LDAP to MFA server

cscotty1972
Level 1
Level 1

‎11-20-2019 08:18 AM

I am in the process of trying to setup an LDAP connection to a MFA proxy server.  I am able to test bind the connection and can see the connection on the MFA proxy server.  The issue is when I try to login to a Nexus switch I have setup in ISE using tacacs+ for device admin.  I never see anything from ISE on the MFA server when this request is done.  

 

Here is what I am seeing in ISE:

 

13005Received TACACS+ Authorization Request
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP - Network Access.Protocol
 15048Queried PIP - DEVICE.Device Type
 15041Evaluating Identity Policy
 15013Selected Identity Source - MFA_test
 24031Sending request to primary LDAP server - MFA_test
 24016Looking up user in LDAP Server - MFA_test
 24019LDAP connection error was encountered - MFA_test ( Step latency=45001ms)
 22059The advanced option that is configured for process failure is used
 22062The 'Drop' advanced option is configured in case of a failed authentication request

 

I am still learning so I am sure there is something I am missing.  Are there any other tools on ISe that would assist with investigating this?  I am working on setting up sniffer so I don't have that info yet.

0 Helpful
2 Replies 2

Jason Kunst
Cisco Employee
Cisco Employee

‎11-22-2019 03:02 PM

I don't think this is possible integration point. You can link together like DUO via a RADIUS proxy server like here but not via LDAP that i know of unless your RADIUS proxy can integrate

 

https://community.cisco.com/t5/security-documents/how-to-deploy-ise-device-admin-with-duo-mfa/ta-p/3821231

 

I also tag my coworker @hslai to see if she can take a look

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎11-25-2019 02:27 PM

Please note MFA may need longer timeouts because it usually waits for the user to respond (e.g. generating a new one-time password).

A couple of things to check:

  • ISE able to connect to the MFA proxy server via LDAP
    • In ISE, verify the test connection
    • In MFA proxy, check the connection logs
  • LDAP server timeouts
    • In ISE, each LDAP server connection may have its own timeout and 99 seconds max
    • In MFA proxy, check the vendor doc.

 

0 Helpful
Customers Also Viewed These Support Documents