Several Active Directory in ISE

Similar Messages

• Cisco ISE 1.2 and 2 Active Directory Domains

  Hi Support,
  does anyone know whether I can perform Certificate Authentication for two different Active Directory domains using the same ISE host / deployment?
  We have two forests with a trust link between them.
  We have a seperate PKI in each domain.
  I am thinking that the ISE can only be joined to a single domain, but because we have a trust between the two forests, the ISE can have two certificate profiles in an identity source sequence which can then use in a single authorisation policy.
  I take it that I would need local certs from each CA in the local certificate store of the ISE?
  We are performing a company merger and we cannot migrate users to the primary AD domain due to several reasons so we would like to use the same ISE deployment to authenticate Wireless users on both AD domains.
  Thanks
  Mario

  Mario,
  This is possible.  Here are the guidelines for the Multi-Forest support in ISE 1.2:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html#pgfId-1350874
  You would have to set a new Certificate Authentication Profile for each domain and use the Authentication Policies to determine which of the Certificate Authentication Profiles to use.
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html#pgfId-1349174
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

  Hi,
  Since we implemented Cisco ISE we receive the following failure on several Notebooks:
  Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
  This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
  The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
  Why is this happening?
  Thanks,
  Marc

  The possible causes of this error message are:
  1.] If the end user entered an incorrect username.
  2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
  3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
  In your cases, the 3rd option seems to be the most closest one.
  Jatin Katyal
  - Do rate helpful posts -

• ISE 1.2 Admin Access via Active Directory

  Hi Experts,
  Good Day!
  I want to configure my ISE 1.2 to authenticate (for admin) against the active directory. I know it is possible but our AD doesn't have any groups named for admins.
  Is it possible for the ISE 1.2 to configure a local user ID and check it to the AD for the password of the UserID?
  Thanks for your great help.
  niks

  Niks,
  I just got done doing this.  First of all you have to have the Active Directory setup as an external data source.  Once you do that Click on Administration - - Admin Access.
  For the Authentication Type ensure that Password Based is toggled and change your data source to Active Directory (or whatever you named it).
  Then click in Administrators - - Admin Users.  Click Add a user - - Create Admin User.  Ensure to check the External box and you will notice the Password field goes away.  Fill out the appropriate information and then assign them to an Admin Group.
  Once you are done with that you can test that user by logging out of your ISE session.  You will notice that when you try to log back in you will have a choice of the data sources used to authenticate the user.  Change the selection to Active Directory and enter the AD user/password for the newly created account you should be good to go.
  Make sure that you don't delete or disable your original admin account in this process.  (Change the password if you like.)

• ISE 1.2 Active Directory Question

  Hi,
  I have a question regarding using Active Directory as an External Identity Source.
  Our customer has 4 AD servers in their domain and thus 4 DNS entries for the domain. When I join ISE to the domain DNS resolves to one address and uses that machine to perform the join operation. What happens if the machine subsequently fails - does my ISE node need to leave and then re-join the domain or is this handled by some other method?
  Thanks
  Alan

  Assuming that they're part of the same AD domain ISE will learn all of the DCs in the domain and you'll likely find after a while that it has moved to a different DC. We have over 100 DCs in our domain and it works just fine, no intervention is required to get it to connect to a different DC if the one it's connected to disappears.
   

• Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

  Hi,
  I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
  Error is enclosed & here is the port configuration.
  Port Configuration.
  interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30
  Please help.

  The error message means that Active Directory server Reject the authentication attempt
  as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
  Event Logs why did the user account got locked.
  Under Even Viewers, You can find it out
  Regards
  Minakshi (Do rate the helpful posts)

• Is it possible to map a Sponsor Group in Cisco ISE to a user group in Active Directory, through a RADIUS server?

  Hi!!
  We are working on a mapping between a Sponsor Group in Cisco ISE and a user group in Active Directory....but the client wants the mapping to be through a RADIUS SERVER, for avoiding ISE querying directly the Active Directory.
  I know it is possible to use a RADIUS SERVER as an external identity source for ISE.....but, is it possible to use this RADIUS SERVER for this sponsor group handling?
  Thanks and regards!!

  Yes It is possible to map Sponser group to user group in AD and if you want to know how to do please open the below link and go to Mapping Active Directory Groups to Sponsor Groups heading.
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1096365

• Cisco ISE 1.3 Active Directory issue

  Hi Folks
  I am having an issue with our Cisco ISE and would love some feedback or a solution. I have to ISE configured to use our Active Directory setup and so far it appears to be functional. I could connect to AD retrieve groups and use AD for authentication. The issue I am experiencing is that when I try to go to the 'Administration >  Identity Management > External Sources page and select our AD instance from the left hand side window the screen locks up and refuses to load.  Any advice?

  hi
  i also had this issue (and one of my collegue also) when using Firefox (version 34 and 35)
  i managed to create the AD server using IE 10 for example, and after it appears correctly with Firefox
  it was before ise1.3patch 1, but i have seen no corrected issue in patch1 release note for this problem
  guillaume

• ISE 1.0.4 & Windows Active Directory

  We are planning to add a NAC sollution in our network and we are a  little confused with ISE. Can ISE support signle sign on with Windows  Active Directory in this version 1.0.4? If yes how we can do it?
  Thank you

  Thanks for prompt answer,
  Something more, i can't find in the following page which is the correct licence in order to install a DEMO ISE in my network. https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y
  Can you help me?

• Cisco ISE Active Directory Add Group

  Hi,
  I came across the Cisco ISE on integrating with Microsoft Active Directory; I would like to check what may be the use case of the add group function (External identity source-->active directory-->group-->add group)? Not too sure if it may be possible to group multiple active directory groups to the created group?
  I have attached a print capture of the "add group" for reference.
  Any suggestion is appreciated.

  I apologize for not following Ravi's post. However you can enter the group if searching for groups fails. It is case and format sensitive so using the method has to be precise....one example is looking in the authenticatiin report for a user under the "other attributes" if there is a group you want to apply as a policy you can copy and paste that group syntax under the add group which you posted.
  Sent from Cisco Technical Support Android App

• ISE / Active Directory

  We have a wireless setup using WLC and ISE, authenticating BYOD against Active Directory.
  The challange we have is that when users change their AD password, they forget to update their smartphones resulting in their AD accounts being locked out.
  We have PEAP enabled, with retries set to 1.
  When does the retries "reset" so that it will try again?
  And is there other things we can look at to prevent this behaviour?

  The best thing to do is to train your users to update the password in all their devices. Otherwise the account will be mostly locked out if an auto-auth device is configured with the old password.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• ISE : Active Directory integration long usernames sAMAccountname

  Have a customer deploying ISE for wireless authentication using PEAP-MSCHAPv2.  They've encountered an issue where some users with long usernames are failing authentication to ISE.  ISE logs that the user is not found in the user database (Active Directory).
  Upon further review, it appears that ISE is using the sAMAccountname as the username token to authenticate against.
  sAMAccountname is limited to 20 characters. 
  Customer is running a full Windows 2008 domain and users login to the domain using their User Principal Name (no 20 character limit).  Therefore, when the user creates a wireless connection and passes his Windows credentials to PEAP, it fails because the username is too long and ISE does not find user in AD database.
  Is there a way to point ISE to use a different username token instead of sAMAccountname?  or is this a known issue?

  I don't think there is any way to increase the limit of 20 characters. You have to create to user name with 20 characters limit.

• ISE - Active Directory - LDAPS

  I think I understood the customer concern. This is quoted from Microsofthttp://support.microsoft.com/kb/321051
  "The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology."
  So the question now is how can we be sure the ISE communication is secure? ... I understand port 636 is used to transport LDAP-Secure ...
  The ISE User Gude indicates that one of the ports required to be open in the case a firewall exists between ISE and ADE is 636 (LDAPS). -(ISE User Guide Page 5-6)
  In my case there is no FW between ISE and AD, so how can I be sure LDAPS is being used?
  ISE User Guide explais a little about security if the external identity source is an LDAP, but nothing about security is indicated in Active Directory configuration.
  Regards.

  Hi,
  The AD join operations allows you to run PEAP protocol and is much more resilient than using ldap because of the way it joins itself to the domain. It uses kerberos and rpc when performing user authentication.
  When using ldaps that is configuration based on when you add the ldap instance.
  Sent from Cisco Technical Support iPad App

• Cisco ISE Process Flow with Active Directory

  Hi guys,
  Today I did a lab and see this note at Authentication Policy Interface. This note is:
  Note: For authentications using PEAP, LEAP, EAP-FAST or RADIUS MSCHAP it is not possible to continue processing when authentication fails or user is not found. If continue option is selected in these cases, requests will be rejected.
  Then I thought that the best way to configure authetication policy for Flex Auth: Dot1x (with Active Directory) > MAB (Internal Endpoint) > CWA (Guest and other user) will be using EAP-TLS authentication protocol.
  Is this possible using another protocol instead of EAP-TLS (which is required client certificate has already been installed)? Would you mind helping me to reslove the problem? And the network authentication method at end user side will be?
  Any help will be much appreciated.

  Please refer the Supported Authentication Protocols ( including PEAP )  , database and authentication types from below
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_auth_pol.html#pgfId-1266680

• Cisco ISE with Active Directory

  Dears,
  i have 1 switch connected to Cisco ISE 1.3 and 6 PCs and active Directory
   my responsibility is to make a policy on the Cisco ISE denying any one if this 6 PCs to access 
  the network unless it's joined to the Domain ( AD)
  i don't know how to do that and i'm new in Cisco ISE 
  if someone can help me about the procedure or a link helpful for my task or any hint info to search about  !!
  i did integration between the Cisco ISE and AD but still i don't know where and how to but the policy on the ISE saying if one of this devices not on the domain kick him out of the network .
  thanks,

  machine + user authentication