Cisco Support Community
Community Member

ISE : Machine/user ActiveDirectory group retrieving


We are migrating our ACS 5.1 to ISE 1.0.4.

- On ACS we were doing 802.1x Authentification over an Activedirectory, assigning Vlan according to computer/user group. In some case the user vlan could be different from the computer vlan (ex admin account connecting to a user account). This works great with ACS

I tested the same function with ISE and the behaviour is a bit different :

- When the computer boot, I can see the computer account being authenticated on ISE. The logs show the AD groups the computer belongs to and the Authorization profile is well applied according to the AD group.

- When the user login, I can see the user account being authenticated on ISE, BUT the logs show the AD groups of the previous authentication, the one belonging to the computer not the user. So the authorization profile is the one from the computer not the user.

It seems that the AD group attributes are not well updated :

- AD logs show the second authentication doesn't engage a new group parsing from AD

- Shutting down the switch port when user is logged engage a new authentication a AD group are well updated.

- Bug toolkit reference the same bug but for WLC CSCto83897 so I suspect it's present in other case.

The NAS is Catalyst 3750 12.2.58(SE2)

Thanks much for your reply.

Everyone's tags (3)
CreatePlease to create content