Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE-AD Communication Problem

Dear Experts,

I am getting the below error in ISE while i am trying to authenticate.

"ISE has the communication problem with the active directory with its machine authentication" . In External Identity Sources, the ISE is connected to the AD group. What to be done..?

And also please tell me between ISE and AD, using which protocol or port number it communicates..?

Thanks in advance..

KVS

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE-AD Communication Problem

Hi Prasan,

that's correct. It only supports LDAP on port 389 ( clear text ) , this feature is planned to be supported but no works has done yet. Here is an enhancement request for your reference:

CSCsx72116  :  WLC: Add support for secure LDAP

Symptom:

WLC does not support LDAPS (Secure LDAP).

Conditions:

Connecting to Secure LDAP, usually with port 636.

Workaround:

Use Plain LDAP.

As of now, either you can continue to use plain LDAP (389) or put ACS/ISE in between for secure communication between them.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
14 REPLIES
New Member

ISE-AD Communication Problem

Guyzz any suggestion ...

Bronze

Re: ISE-AD Communication Problem


you better redirect you Q to security--- identity community:)


Sent from Cisco Technical Support iPad App

New Member

ISE-AD Communication Problem

Thanks for your guidance ...

Cisco Employee

Re: ISE-AD Communication Problem

Hi Prasan,

Are you able to see ISE (hostname) as a computer object on the Active directory. Can you explain the steps, how did you integrate/ISE with AD. Also, for a quick test, if possible, can you delete the AD configuration from the ISE, make sure there is no computer object on the AD as ISE and Join again.

If there is a firewall  between Cisco ISE and Active Directory, certain ports need to be opened  to allow Cisco ISE to communicate with Active Directory. Ensure that the  following default ports are open:



Protocol

Port Number

LDAP


389 (UDP)


SMB


445 (TCP)


KDC


88 (TCP)


Global Catalog


3268 (TCP), 3289


KPASS


464 (TCP)


NTP


123 (UDP)


LDAP


389 (TCP)


LDAPS


636 (TCP)

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Cisco Employee

Re: ISE-AD Communication Problem

for more informtaion about Integrating Cisco ISE with Active Directory Prerequisites, I'd suggest you go through the link mentioned below. This would specifically educate what all you need at the first place.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059011

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: ISE-AD Communication Problem

Thanks jatin .. I will test it and get back here But I really wonder the same is communicating with AD when L2 security is configured on the controller ... Something looks strange ...

I see many ports to be opened in the firewall as the table you given but i think it uses only 389 TCP to communicate with AD.. is it correct ..?

Message was edited by: Prasan Venky

Cisco Employee

Re: ISE-AD Communication Problem

All these ports actually help ACS to join with AD. only port 3269 and 636 are required when we are using secure LDAP. You should have them open on the firewall to avoid any issues. Once they are joined ACS-AD communication majorly depends on port 389 and 3268.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: ISE-AD Communication Problem

Hello

We finally integrated WLC with LDAP without the use of ISE. we tested with the 389 port. it was working and clients were authenticating.. but the same with 636 and 3269 port it is not working ...

We need to secure the LDAP transaction .. Any idea..?

ISE-AD Communication Problem

Prasan,

In response to your question regarding the many ports in addition to 389 is that ISE uses these ports to join to Active Directory as a domain machine. It uses kerberos to perform authentication and it supports many authentication protocols that are not supported with your conventional ldap protocol i.e. peap-mschapv2.

If you need to connect to port 636 and 3269 you will need to have the root certificate from the ldap server and import that into the controller if it supported. You may need to post this question on the wireless forums if you are looking to integrate the WLC to the ldap server directly without ISE.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: ISE-AD Communication Problem

Thanks for your reply. I didn't bother about this root certificate from LDAP server. I will try to load in to the WLC and check.

Many thanks for your support.

Cisco Employee

Re: ISE-AD Communication Problem

Hi Prasan,

In case you stuck somewhere and need some reference, please take a look here

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: ISE-AD Communication Problem

Dear Jatin & Tarik,

We finally found that LDAPS (636/3269) is not supported by the cisco controllers yet. Only LDAP with 389. Thats wireless part.

Anyways manythanks for the support provided from LDAP side.

KVS

Cisco Employee

Re: ISE-AD Communication Problem

Hi Prasan,

that's correct. It only supports LDAP on port 389 ( clear text ) , this feature is planned to be supported but no works has done yet. Here is an enhancement request for your reference:

CSCsx72116  :  WLC: Add support for secure LDAP

Symptom:

WLC does not support LDAPS (Secure LDAP).

Conditions:

Connecting to Secure LDAP, usually with port 636.

Workaround:

Use Plain LDAP.

As of now, either you can continue to use plain LDAP (389) or put ACS/ISE in between for secure communication between them.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: ISE-AD Communication Problem

Thats very clear Thanks Jatin ....

873
Views
24
Helpful
14
Replies