05-31-2012 06:20 AM - edited 03-10-2019 07:09 PM
Hi,
I'm having problem with ISE not finding the username in a AD group, in the Authorization Policy.
This applies to a computer as well, other rule and Domain Computers
The last setup is simple:
if X_AD:ExternalGroups EQUALS x.company.se/Users/Domain Users then Permit_access
The user is in that group but it fails every time.
If I change the Default rule to PermitAccess he gets authorized so the authentication part is working.
I'm trying to read the LDAP debug log, ad_agent.log, but I'm not sure what I'm looking for here.
Is there a good way to test this?
Any troubleshooting tips are welcome.
Thanks
Mikael
05-31-2012 08:23 AM
One thing you can do is the following
- Find the authentication record for your request (Can go to Operations -> Authentiactions)
- when you see the record for your request click on the Details icon for the record
You will see the "Authentication Details" page. In the section "Authentication Details" there is an "Other Attributes" section that should include the list of AD groups that were in fact retrieved for the user and can see if this includes the one you were expecting
05-31-2012 06:58 PM
When you are editing the rule, does it say if Any and ..., or do you have an identity group selected?
Sent from Cisco Technical Support iPad App
06-01-2012 02:01 PM
Looks like the problem is solved for now.
First, what we did to get the authorization problem was to move from one AD connection to an other, some indecisions on where to use MSCHAPv2. We did leave one AD an joined the other one, same authentication and authorization rules applied. After that it didn't work, like I described in my original post
I did an deeper dive in the LDAP debug log, ad_agent.log, and when the client connect it looks like the ISE policy server tries to do a lookup against the old AD server and it fails. (See log below.)
I was thinking that I would have to run a application reset-config and start over but the last thing I did yesterday was to force a resync on all ISE nodes just to have done that. And that did it, this morning everything worked like a charm.
Should say that the Replication Status and Sync Status was good (Complete and Sync completed) before I forced a resync. And we change AD connection 3 days ago so plenty of time to replicat from the admin node to policy nodes..
------------------------------------
Part of debug log from policy server
Old AD server: dc02.company.se / dc01.company.se
New AD server: sdc02.something.company.se
May 31 14:18:59 isepol1 adclient[2057]: DEBUG
May 31 14:18:59 isepol1 adclient[2057]: DEBUG
May 31 14:18:59 isepol1 adclient[2057]: DEBUG
May 31 14:18:59 isepol1 adclient[2057]: DEBUG
May 31 14:18:59 isepol1 adclient[2057]: DEBUG
May 31 14:18:59 isepol1 adclient[2057]: DEBUG
May 31 14:18:59 isepol1 adclient[2057]: DEBUG
May 31 14:18:59 isepol1 adclient[2057]: DEBUG
May 31 14:18:59 isepol1 adclient[2057]: DEBUG
May 31 14:18:59 isepol1 adclient[2057]: DIAG
May 31 14:18:59 isepol1 adclient[2057]: DEBUG
May 31 14:18:59 isepol1 adclient[2057]: DIAG
May 31 14:18:59 isepol1 adclient[2057]: DEBUG
May 31 14:18:59 isepol1 adclient[2057]: DEBUG
May 31 14:18:59 isepol1 adclient[2057]: DEBUG
May 31 14:18:59 isepol1 adclient[2057]: DEBUG
May 31 14:18:59 isepol1 adclient[2057]: DEBUG
May 31 14:18:59 isepol1 adclient[2057]:last message repeated 3 times
May 31 14:18:59 isepol1 adclient[2057]: DEBUG
May 31 14:18:59 isepol1 adclient[2057]: DEBUG
May 31 14:18:59 isepol1 adclient[2057]: DEBUG
Thanks
Mikael
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide