Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
846
Views
0
Helpful
1
Replies

ISE Renaming External AD Group

Andy Robinson
Level 1
Level 1

‎08-22-2014 04:52 AM - edited ‎03-10-2019 09:57 PM

Hi,

I am testing ISE External AD authentication and when I rename an AD security group that the user is a member of authentication against ISE is still successful, however the group name shown in the logs is the original group name and not the new renamed group name. This appears to be the same for both nested groups and those mapped directly to ISE in my testing. 

After waiting what could be potentially 24 hours between retesting after renaming the group this appears to then show the correct renamed group in the authentication log. I believe that ISE has an ADclient cache which I assume is where the group name is being pulled from for the ISE logs and hence why this shows incorrectly for a period of time until it is refreshed.

I did find details of a configuration option on the ISE CLI to "Clear Active Directory Trusts Cache and restart/apply Active Directory settings". I have attempted to do this and this makes no difference to the names of the groups in the authentication log. However this may be due to CSCul65329 that I have found that seems to exhibit the similar symptoms to what I am experiencing.

So I guess what I am asking is, has anyone else experienced similar issues when attempting to rename external AD groups? And if so, excluding the potential for CSCul65329 is the process when renaming AD external groups to Clear Active Directory Trusts Cache and restart/apply Active Directory settings.

Any help appreciated.

Many thanks

Andy

1 person had this problem
Labels:
0 Helpful
1 Reply 1

routerhand99
Level 1
Level 1

‎02-17-2015 01:54 PM

I can confirm this behavior.  There is obviously a cache.  An active directory change to your AD while you have mapped groups can be exciting also.  There is also a bug where the mapped groups CANNOT be removed.

It is a mess.  It appears that in the following CLI menu;

Selection ISE configuration option
[1]Reset Active Directory settings to defaults
[2]Display Active Directory settings
[3]Configure Active Directory settings
[4]Restart/Apply Active Directory settings
[5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings

 

As you mention option [5] does nothing for 24 hours and then flushes it (for what possible reason?)

There is some ability I have heard to do this in real-time with a Linux operating system command.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents