03-14-2021 12:35 PM
I've got a lab deployment where I'm testing and I've setup ISE. Joined it to AD and have everything setup successfully. My understanding was ISE would use AD to populate endpoints it finds there. I have one machine joined to AD as well as the AD server itself obviously. ISE isn't showing anything for these. I unjoined and completely re-built the DC and re-joined to the new one thinking maybe it was something on the DC being it was a lab DC that had been beat up a bit with other things.
I used the domain administrator account to join. Again no issues there. Everything was successful.
I turned on the debug logs and the only errors I see are:
2021-03-14 14:24:38,218 VERBOSE,140027141027584,Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/server/ntlm/acquirecreds.c:103
2021-03-14 14:24:38,218 VERBOSE,140027141027584,Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/client/ntlm/clientipc.c:299
2021-03-14 14:24:38,218 VERBOSE,140027141027584,Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/client/ntlm/acquirecreds.c:84
2021-03-14 14:24:38,219 VERBOSE,140027141027584,NtlmClientAcquireCredentialsHandle: principal=<null>, package=NTLM,lsass/client/ntlm/acquirecreds.c:69
2021-03-14 14:24:38,219 VERBOSE,140027141027584,Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/server/ntlm/acquirecreds.c:103
2021-03-14 14:24:38,219 VERBOSE,140027141027584,Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/client/ntlm/clientipc.c:299
2021-03-14 14:24:38,219 VERBOSE,140027141027584,Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/client/ntlm/acquirecreds.c:84
2021-03-14 14:24:38,219 VERBOSE,140027141027584,Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/interop/gssntlm/gssntlm.c:891
I've googled all over to see if I can find something about this but so far I'm not having any luck. Any help would be appreciated.
Solved! Go to Solution.
03-14-2021 04:04 PM
This is not how ISE works, so it is the wrong understanding of how ISE utilises integration with Active Directory. There are different ways ISE uses integration with AD, but the main two would be to authenticate endpoints/users via 802.1x or 'listen' for endpoint/user login events via WMI/MSRPC (referred to as PassiveID or EasyConnect). If the following guides do not address your scenario, please provide more information on exactly how you intend to use ISE and we may be able to suggest some additional guides.
03-14-2021 04:07 PM
I see that its more reactive than proactive with this. It doesn't just probe AD and grab data to populate endpoints. It uses it when it see's new endpoints with mab/dot1x to check and gain more info! THanks much!
03-14-2021 01:18 PM
please take a look at:
Cisco ISE Device Administration Prescriptive Deployment Guide.
Cisco ISE Performance and Scale
Hope this helps !!!
03-14-2021 04:04 PM
This is not how ISE works, so it is the wrong understanding of how ISE utilises integration with Active Directory. There are different ways ISE uses integration with AD, but the main two would be to authenticate endpoints/users via 802.1x or 'listen' for endpoint/user login events via WMI/MSRPC (referred to as PassiveID or EasyConnect). If the following guides do not address your scenario, please provide more information on exactly how you intend to use ISE and we may be able to suggest some additional guides.
03-14-2021 04:07 PM
I see that its more reactive than proactive with this. It doesn't just probe AD and grab data to populate endpoints. It uses it when it see's new endpoints with mab/dot1x to check and gain more info! THanks much!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide