12-13-2017 06:05 AM - edited 02-21-2020 10:41 AM
Hi,
I need to know what SMB version the Cisco ISE v1.1.3 uses to communicate with Active Directory because when the SMB version 1 is disabled in the Windows Server Active Directory, the authentication requested from users doesn't work, for example using WiFi authenticating via AD through ISE.
I'd really appreciate it if someone told me a document about SMB versions used as requisite on Cisco ISE.
Here is the version that a have this situation:
============================================================
Version information of installed applications
---------------------------------------------
Cisco Identity Services Engine
---------------------------------------------
Version : 1.1.3.124
Build Date : Thu Feb 7 04:55:38 2013
Install Date : Thu Jul 18 16:32:34 2013
Cisco Identity Services Engine Patch
---------------------------------------------
Version : 13
Install Date : Thu Aug 06 20:07:16 2015
Here is a test that we can see just the protocol and port, but not the version.
============================================================
Domain Diagnostics
Domain: xyz.com.br
Subnet Site: abc
DNS Query For: _ldap._tcp.axyz.com.br
Found SRV Records:
ad01.xyz.com.br:389
Testing Active Directory Connectivity:
Domain Controller: ad01.xyz.com.br:389
Ldap: 389/tcp - Good
Ldap: 389/udp - Good
Smb: 445/tcp - Good
Kdc: 88/tcp - Good
Kpasswd: 464/tcp - Good
Ntp: 123/udp - Good
============================================================
Thanks!
Flavio L.
12-13-2017 02:06 PM
12-14-2017 12:02 PM
I had to open a ticket with TAC for similar. In my case I wanted to know if v2.1 used SMB, if so, which version.
Reply:
I understand that you are interested in the SMB version supported in ISE and I will do my best to help you. SMBv1 was supported and used for ISE versions 1.2 and below. For newer ISE versions SMBv1 is replaced by MSRPC. With this in mind, SMB is not being used for the authentications or connection to AD. Please, refer to the official documentation here https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html
If you compare the table “Network Ports That Must Be Open for Communication” with the one from the documentation for ACS, which works with SMB, you can see that SMB is replaced by MSRPC instead. The old ISE documentation for 1.2 can be accessed here, the table in section “Guidelines for Setting Up Active Directory as an External Identity Source” https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html
Hope that helps.
12-18-2017 03:15 AM
Thank you so much for trying to help me!
I need to know if ISE version 1.1.3 supports SMB v.2 or higher, because I have a client that no longer wants to use SMB v1 for security reasons. However, when it disables SMB v1, ISE stops logging on to AD.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide