Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2720
Views
5
Helpful
3
Replies

What SMB version the Cisco ISE v1.1.3 uses to communicate with Active Directory ?

flleandro
Level 1
Level 1

‎12-13-2017 06:05 AM - edited ‎02-21-2020 10:41 AM

Hi,

 

I need to know what SMB version the Cisco ISE v1.1.3 uses to communicate with Active Directory because when the SMB version 1 is disabled in the Windows Server Active Directory, the authentication requested from users doesn't work, for example using WiFi authenticating via AD through ISE.
I'd really appreciate it if someone told me a document about SMB versions used as requisite on Cisco ISE.

 

Here is the version that a have this situation:

============================================================

Version information of installed applications
---------------------------------------------

Cisco Identity Services Engine
---------------------------------------------
Version : 1.1.3.124
Build Date : Thu Feb 7 04:55:38 2013
Install Date : Thu Jul 18 16:32:34 2013

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 13
Install Date : Thu Aug 06 20:07:16 2015


Here is a test that we can see just the protocol and port, but not the version.
============================================================

Domain Diagnostics
 Domain: xyz.com.br
 Subnet Site: abc
   DNS Query For: _ldap._tcp.axyz.com.br
   Found SRV Records:
     ad01.xyz.com.br:389
 Testing Active Directory Connectivity:
   Domain Controller: ad01.xyz.com.br:389
    Ldap: 389/tcp - Good
    Ldap: 389/udp - Good
    Smb: 445/tcp - Good
    Kdc: 88/tcp - Good
    Kpasswd: 464/tcp - Good
    Ntp: 123/udp - Good

============================================================

 

Thanks!

Flavio L.

Labels:
0 Helpful
3 Replies 3

flleandro
Level 1
Level 1

‎12-13-2017 02:06 PM

Hello!

Could someone clarify this question, please?
I would not want to open a TAC to get this information, but I think it will be necessary...

Anyway, thanks.

Flavio L.
0 Helpful

bbcom_dylan
Level 1
Level 1

‎12-14-2017 12:02 PM

I had to open a ticket with TAC for similar. In my case I wanted to know if v2.1 used SMB, if so, which version.

Reply:

 

I understand that you are interested in the SMB version supported in ISE and I will do my best to help you. SMBv1 was supported and used for ISE versions 1.2 and below. For newer ISE versions SMBv1 is replaced by MSRPC. With this in mind, SMB is not being used for the authentications or connection to AD. Please, refer to the official documentation here https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html

 

If you compare the table “Network Ports That Must Be Open for Communication” with the one from the documentation for ACS, which works with SMB, you can see that SMB is replaced by MSRPC instead. The old ISE documentation for 1.2 can be accessed here, the table in section “Guidelines for Setting Up Active Directory as an External Identity Source” https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html

 

Hope that helps.

flleandro
Level 1
Level 1
In response to bbcom_dylan

‎12-18-2017 03:15 AM

Thank you so much for trying to help me!

I need to know if ISE version 1.1.3 supports SMB v.2 or higher, because I have a client that no longer wants to use SMB v1 for security reasons. However, when it disables SMB v1, ISE stops logging on to AD.

0 Helpful
Customers Also Viewed These Support Documents