I am testing ISE External AD authentication and when I rename an AD security group that the user is a member of authentication against ISE is still successful, however the group name shown in the logs is the original group name and not the new renamed group name. This appears to be the same for both nested groups and those mapped directly to ISE in my testing.
After waiting what could be potentially 24 hours between retesting after renaming the group this appears to then show the correct renamed group in the authentication log. I believe that ISE has an ADclient cache which I assume is where the group name is being pulled from for the ISE logs and hence why this shows incorrectly for a period of time until it is refreshed.
I did find details of a configuration option on the ISE CLI to "Clear Active Directory Trusts Cache and restart/apply Active Directory settings". I have attempted to do this and this makes no difference to the names of the groups in the authentication log. However this may be due to CSCul65329 that I have found that seems to exhibit the similar symptoms to what I am experiencing.
So I guess what I am asking is, has anyone else experienced similar issues when attempting to rename external AD groups? And if so, excluding the potential for CSCul65329 is the process when renaming AD external groups to Clear Active Directory Trusts Cache and restart/apply Active Directory settings.
I can confirm this behavior. There is obviously a cache. An active directory change to your AD while you have mapped groups can be exciting also. There is also a bug where the mapped groups CANNOT be removed.
It is a mess. It appears that in the following CLI menu;
Selection ISE configuration option Reset Active Directory settings to defaults Display Active Directory settings Configure Active Directory settings Restart/Apply Active Directory settings Clear Active Directory Trusts Cache and restart/apply Active Directory settings
As you mention option  does nothing for 24 hours and then flushes it (for what possible reason?)
There is some ability I have heard to do this in real-time with a Linux operating system command.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...