Integrating Active Directory with Cisco ISE. How to fix Error: LW_ERROR_CLOCK_SKEW

Hi friends! In this lab, I’ll show you how to fix error code 40087. If your ISE server’s clock is not synchronized with the Active Directory DC, then authentication can fail. This is because AD is using Kerberos auth with timestamped tickets.

Below the topology:

DNS/DC have been preconfigured on windows server 2012, as shown below:

1. Configure Cisco router as NTP server

gw1(config)#clock timezone (your timezone)
gw1(config)#ntp master 1

2- Configure Windows Server as NTP Client

• Open gpedit.msc from runcommand (you must log in with administrator rights)

Go to: Local Computer Policy > Administrative Templets > System > Windows Time Service>Time Provider>Enable Windows NTP Client

>Configure Windows NTP Client

NtpServer: 10.1.1.254,0x9 (Your NTP Server IP address,0x9)
Type: NTP
SpecialPollinterval: 60

Services>Windows Time > Start

Now open the command prompt with administrative right and run this command:

w32tm /config /manualpeerlist:”10.1.1.254,0x1" /syncfromflags:manual /reliable:YES /update

3. ISE NTP configuration (CLI).

ISE/admin(config)# ntp server 10.1.1.254
ISE/admin(config)# end
ISE/admin# show ntp

Now let’s try again to join ISE to AD.

Go to: Administration > External Identity Sources > Active Directory

Done!