Solved: Re: ISE not pulling endpoints from Active DIrectory

stamperbrian · ‎03-14-2021

I've got a lab deployment where I'm testing and I've setup ISE. Joined it to AD and have everything setup successfully. My understanding was ISE would use AD to populate endpoints it finds there. I have one machine joined to AD as well as the AD server itself obviously. ISE isn't showing anything for these. I unjoined and completely re-built the DC and re-joined to the new one thinking maybe it was something on the DC being it was a lab DC that had been beat up a bit with other things.

I used the domain administrator account to join. Again no issues there. Everything was successful.

I turned on the debug logs and the only errors I see are:

2021-03-14 14:24:38,218 VERBOSE,140027141027584,Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/server/ntlm/acquirecreds.c:103
2021-03-14 14:24:38,218 VERBOSE,140027141027584,Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/client/ntlm/clientipc.c:299
2021-03-14 14:24:38,218 VERBOSE,140027141027584,Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/client/ntlm/acquirecreds.c:84
2021-03-14 14:24:38,219 VERBOSE,140027141027584,NtlmClientAcquireCredentialsHandle: principal=<null>, package=NTLM,lsass/client/ntlm/acquirecreds.c:69
2021-03-14 14:24:38,219 VERBOSE,140027141027584,Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/server/ntlm/acquirecreds.c:103
2021-03-14 14:24:38,219 VERBOSE,140027141027584,Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/client/ntlm/clientipc.c:299
2021-03-14 14:24:38,219 VERBOSE,140027141027584,Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/client/ntlm/acquirecreds.c:84
2021-03-14 14:24:38,219 VERBOSE,140027141027584,Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/interop/gssntlm/gssntlm.c:891

I've googled all over to see if I can find something about this but so far I'm not having any luck. Any help would be appreciated.

Greg Gibbs · ‎03-14-2021

This is not how ISE works, so it is the wrong understanding of how ISE utilises integration with Active Directory. There are different ways ISE uses integration with AD, but the main two would be to authenticate endpoints/users via 802.1x or 'listen' for endpoint/user login events via WMI/MSRPC (referred to as PassiveID or EasyConnect). If the following guides do not address your scenario, please provide more information on exactly how you intend to use ISE and we may be able to suggest some additional guides.

ISE Secure Wired Access Prescriptive Deployment Guide

ISE EasyConnect

View solution in original post

stamperbrian · ‎03-14-2021

I see that its more reactive than proactive with this. It doesn't just probe AD and grab data to populate endpoints. It uses it when it see's new endpoints with mab/dot1x to check and gain more info! THanks much!

View solution in original post

Marcelo Morais · ‎03-14-2021

Hi @stamperbrian

please take a look at:

Cisco ISE Device Administration Prescriptive Deployment Guide.

Cisco ISE Performance and Scale

Hope this helps !!!

Greg Gibbs · ‎03-14-2021

This is not how ISE works, so it is the wrong understanding of how ISE utilises integration with Active Directory. There are different ways ISE uses integration with AD, but the main two would be to authenticate endpoints/users via 802.1x or 'listen' for endpoint/user login events via WMI/MSRPC (referred to as PassiveID or EasyConnect). If the following guides do not address your scenario, please provide more information on exactly how you intend to use ISE and we may be able to suggest some additional guides.

ISE Secure Wired Access Prescriptive Deployment Guide

ISE EasyConnect

stamperbrian · ‎03-14-2021

I see that its more reactive than proactive with this. It doesn't just probe AD and grab data to populate endpoints. It uses it when it see's new endpoints with mab/dot1x to check and gain more info! THanks much!