×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ISE and MS Active Directory Integration Issue

Unanswered Question
Aug 12th, 2013
User Badges:

It appears that our ISE 1.2 solution is having issues with nested MS AD Groups. The first login attempt always fails, the second occasionally works and the third always works. Has anyone else experience this login issues with ISE 1.2 and MS AD?

Sent from Cisco Technical Support iPhone App

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Tarik Admani Mon, 08/12/2013 - 21:30
User Badges:
  • Green, 3000 points or more

Hi,

When you look at the authentication details do you see the groups listed in the additional attributes? Also are there any other condition such as endpoint groups in combination with the authorization policy. Can you provide a screenshot od your policies?


Sent from Cisco Technical Support Android App

Rick Daoust Tue, 08/13/2013 - 11:32
User Badges:

Hi Tarik,


     Please see screenshots below:

AD_auth_profile.pngAD_groups_ISE.pngAD_external_groups.png

      

Thanks,

Tarik Admani Tue, 08/13/2013 - 19:32
User Badges:
  • Green, 3000 points or more

Basant,


The integration against active directory is working fine he is having issues with consistency. Does the link provided above address consistency issues?


Tarik Admani
*Please rate helpful posts*

Tarik Admani Tue, 08/13/2013 - 19:37
User Badges:
  • Green, 3000 points or more

Rick,


I am a little lost in the screenshots you posted. In your AD groups that you have pulled I dont see an authorization policy mapped to the first group. In the authentication report it looks like authentication is successfull.


I have seen that ISE will only display a few of the groups now in ISE 1.2 can you build a policy based on the the group you want it to show and then try your authentication again? That is when ISE will show the specific group as opposed to ise pre 1.2 where it would show more groups.


Thanks,



Tarik Admani
*Please rate helpful posts*

Actions

This Discussion