Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1596
Views
0
Helpful
2
Replies

ISE not able to authenticate computer and users using LDAP Server

Go to solution
ecejhe-old
Level 1
Level 1

‎04-23-2018 01:05 PM - edited ‎02-21-2020 10:54 AM

Current Setup:

LDAP as Identity stores for both domain computers and users.

PEAP-TLS or EAP-TLS as authentication method

 

Below the configuration of the computer LAN:Capture.JPG 

 

Only below the available method for authentication:

 Capture.JPG2.JPG

 

I tried the first method ( Smart Card or other Certificate) but getting prompt " need certificate" on the test computer. Take note that  I have the root cert of the server and also the CSR from ISE  binded with the server. In short, i have all the required certificate on the ISE.

 

When I used the 2nd method, I getting below error:

Capture.JPG3.JPG

 

I have successfully integrated the ISE to LDAP as I able to fetch the groups from the LDAP and used in the Policy.

 

Why ISE not able to locate my username? 

Is there compatibility between LDAP and the authentication that I have used?

 

I cant used the AD as I am not able to fetch the groups/users from AD that's why we used LDAP.

Its already a couple of days looking for exact setup but always found most of them using AD as Identity Store.

 

All I need is same setup, LDAP as server and what needs to configure on the computer LAN connection,

 

Thank you in advance.

 

 

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ecejhe-old
Level 1
Level 1
In response to Rob Ingram

‎04-24-2018 10:54 PM

Thank RJI. I tried to rejoin the AD one more time but still not able to fetch the groups from AD. 

I tried to test user from ISE and it was successful. Then, from the result I found the directory group and manually search it. That time, I was able to fetch the exact group that I was trying  to fetch. 

Now, my policy in ISE  is working fine and will just conduct more test.

 

I just wondering why I cant fetch groups using " *  "

 

Thank you so much.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎04-24-2018 06:31 AM

Hi,

Can you provide a screenshot of your authentication and authorisation policy please?

Can you provide a screenshot of the failed authentication?

 

In regard to your statement using Smart Card or other Certificate, this requires a User and/or Computer certificate on all of the computers, in addition to the Server certificate you've configured on ISE.

 

Why can you not fetch groups from AD? Once you've created an External Identity Source for AD, you just need to go to the groups tab and select the groups you want. Or is there a communications error? Perhaps take a screenshot and upload here?

 

HTH

0 Helpful

Go to solution
ecejhe-old
Level 1
Level 1
In response to Rob Ingram

‎04-24-2018 10:54 PM

Thank RJI. I tried to rejoin the AD one more time but still not able to fetch the groups from AD. 

I tried to test user from ISE and it was successful. Then, from the result I found the directory group and manually search it. That time, I was able to fetch the exact group that I was trying  to fetch. 

Now, my policy in ISE  is working fine and will just conduct more test.

 

I just wondering why I cant fetch groups using " *  "

 

Thank you so much.

0 Helpful
Customers Also Viewed These Support Documents