04-23-2018 01:05 PM - edited 02-21-2020 10:54 AM
Current Setup:
LDAP as Identity stores for both domain computers and users.
PEAP-TLS or EAP-TLS as authentication method
Below the configuration of the computer LAN:
Only below the available method for authentication:
I tried the first method ( Smart Card or other Certificate) but getting prompt " need certificate" on the test computer. Take note that I have the root cert of the server and also the CSR from ISE binded with the server. In short, i have all the required certificate on the ISE.
When I used the 2nd method, I getting below error:
I have successfully integrated the ISE to LDAP as I able to fetch the groups from the LDAP and used in the Policy.
Why ISE not able to locate my username?
Is there compatibility between LDAP and the authentication that I have used?
I cant used the AD as I am not able to fetch the groups/users from AD that's why we used LDAP.
Its already a couple of days looking for exact setup but always found most of them using AD as Identity Store.
All I need is same setup, LDAP as server and what needs to configure on the computer LAN connection,
Thank you in advance.
Solved! Go to Solution.
04-24-2018 10:54 PM
Thank RJI. I tried to rejoin the AD one more time but still not able to fetch the groups from AD.
I tried to test user from ISE and it was successful. Then, from the result I found the directory group and manually search it. That time, I was able to fetch the exact group that I was trying to fetch.
Now, my policy in ISE is working fine and will just conduct more test.
I just wondering why I cant fetch groups using " * "
Thank you so much.
04-24-2018 06:31 AM
Hi,
Can you provide a screenshot of your authentication and authorisation policy please?
Can you provide a screenshot of the failed authentication?
In regard to your statement using Smart Card or other Certificate, this requires a User and/or Computer certificate on all of the computers, in addition to the Server certificate you've configured on ISE.
Why can you not fetch groups from AD? Once you've created an External Identity Source for AD, you just need to go to the groups tab and select the groups you want. Or is there a communications error? Perhaps take a screenshot and upload here?
HTH
04-24-2018 10:54 PM
Thank RJI. I tried to rejoin the AD one more time but still not able to fetch the groups from AD.
I tried to test user from ISE and it was successful. Then, from the result I found the directory group and manually search it. That time, I was able to fetch the exact group that I was trying to fetch.
Now, my policy in ISE is working fine and will just conduct more test.
I just wondering why I cant fetch groups using " * "
Thank you so much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide