cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1472
Views
0
Helpful
5
Replies
Beginner

ISE 1.1.1 and AD connect failure

Hello,

I'm trying to join ISE to my AD. i have a linux vm as my time source for both AD/DC ( a vm) and ISE(actual appliance), both have sycn and time is the same on ISE and AD. I've opened all the ports and took off NAT between the two.

i get a successful join message, then it says "joined to domain but not connected"

i've turned off the windows firewall just in case.

in ISE i see:

base.bind.cache can't resolve LDAP service provider for test.com, check DNS

base.bind.healing disconnect reconnect failed

osutil module=LDAP SASL bind to ldap/ad.test.com@test.com GSSAP mechanism with LDAP error invalid credentials

network.state favorite DC marked as dead

but i see other information that is being pulled from the domain correctly.

everything is in DNS.

any clues?

thanks

Everyone's tags (6)
5 REPLIES 5
Advocate

ISE 1.1.1 and AD connect failure

Jaray,

From ISE can you issue "nslookup test.com" and see if the dns records that returned are accurate. Also do you have PTR records in DNS? Issue "nslookup x.x.x.x" and see if the hostname is correct for the domain controller.

Also what are you using for the binding account? Is it a domain admin account, if it is a new account is the flag to change password at next login disabled?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Beginner

ISE 1.1.1 and AD connect failure

Tarik

nslookup test.com

status noerror query:1 answer:3 authority:0

test.com in A      192.168.3.3

                 NS     ad.test.com

                 SOA     ad.test.com, hostmaster.test.com

nslookup 192.168.3.3

status noerror query:1 answer:1

3.3.168.192.in-add.arpa in PTR     ad.test.com

i'm using my original domain admin account to do the join, flag is disabled.

in wireshark i see a "bindrequest sasl" and response "invalid credentials"

Highlighted
Cisco Employee

ISE 1.1.1 and AD connect failure

I recently ran in to this issue and here is what I did :

Did a "netstat -a -p tcp" on the Windows domain controller. Saw that Port 389 (LDAP) wasnt enabled (not sure on why this happened however). Got in to Windows services console (services.msc), "Stopped" and "Started" the "Active Directory Service". Checked with netstat to see if the port was open now, it was. I did a test from ISE and later "Joined" the AD, it turned successful!

Other options to look for:

Its evident that this errror corps up when ISE has problem with the LDAP service. So to resolve this, here are somethings to look at/do :

(1) Check connectivity between the ISE and the DC.

(2) Check if ISE can resolve the DC name (from the CLI mode)

(3) Check if the NTP is set properly on ISE (Administration -> Settings -> System Time)

(4) Check if port 389 (LDAP) is open on the domain controller.

(5) See if a router/Firewall is blocking the LDAP port

The "Detailed" test under "Test Connection" from ISE gives verbose information about the failure cause.

-Hari

Participant

ISE 1.1.1 and AD connect failure

Kindly go through below video :

http://www.youtube.com/watch?v=FKXvhBdWA1E

Rising star

ISE 1.1.1 and AD connect failure

Please also check that your AD should not work in 2000 mixed mode. It should be in 2003 or 2008 native mode because some parameter of AD 2000 is not supported by ISE.