ISE with AD Integration, Group retrieval

Ibrahim Alsharif — Mon, 11 Mar 2019 03:14:18 GMT

Hello Dears,

I have integrated ISE with Active Directory Domain and everything went fine, but when I tried to retrieve the groups from the Domain, I didn't get all Groups, many groups are missing and didn't appear on the ISE.

is there any additional step on the Domain or ISE to do, and slove the issue?

Thanks for your help

Ibrahim

ISE with AD Integration, Group retrieval

harvisin — Sat, 06 Apr 2013 03:13:27 GMT

Hello,

As per my knowledge if you are facing such issue thn you might have missed a step in the process of integration of ISE and AD.

For your reference, please refer to the link below ehcih might help you

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1059011

This link will provide you the step by step guide on how to integrate ISE with AD.

I hope this might help you.

ISE with AD Integration, Group retrieval

jrabinow — Sun, 07 Apr 2013 06:27:37 GMT

When select groups from the directory, what Domain and Filter do you use?

ISE with AD Integration, Group retrieval

augie2005 — Tue, 09 Apr 2013 13:31:25 GMT

shouldnt using a wildcard '*' return at least the groups in the root of the domain? I too am having this issue. I am unable to pull any groups at all. I am concerned that my AD naming convention could be at play; as I used a hyphen in my server name, and all caps for part of the domain name:

my-server.DOMAIN.local

that being said, doing a detailed connection test returns no problems.

Re: ISE with AD Integration, Group retrieval

hgans — Thu, 11 Apr 2013 21:47:21 GMT

same issue, domain group pull retrieves zero groups from my DC.

no error messages in ISE or DC event logs.

Using single DC users e.g. for radius login events works just fine.

I guess some DC right setting is missing to make it work?

My DC server has a default setup with no fancy customization.

appreciate any help on this...

Edit: Here is an example of a successful Test Connection Result with Domain:

adinfo (CentrifyDC 4.5.0-357)

Host Diagnostics

uname: Linux ise 2.6.18-274.17.1.el5PAE #1 SMP Wed Jan 4 22:49:48 EST 2012 i686

OS: Red Hat Enterprise Linux Server

Version: 5.4 (Tikanga)

Number of CPUs: 2

IP Diagnostics

Local host name: ise

Local IP Address: 172.29.30.238

FQDN host name:ise.30.29.172.in-addr.arpa

Domain Diagnostics

Domain: company.com

Subnet site: default-first-site-name

DNS query for: _ldap._tcp.company.com

Found SRV records:

dc.company.com:389

Testing Active Directory connectivity:

Domain Controller: dc.company.com

ldap: 389/tcp - good

ldap: 389/udp - good

smb: 445/tcp - good

kdc: 88/tcp - good

kpasswd: 464/tcp - good

ntp: 123/udp - good

Domain Controller: dc.company.com:389

Domain controller type: Windows 2008 R2

Domain Name: company.com

isGlobalCatalogReady: TRUE

domainFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)

forestFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)

domainControllerFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)

Forest Name: company.com

DNS query for: _gc._tcp.company.com

Testing Active Directory connectivity:

Global Catalog: dc.company.com

gc: 3268/tcp - good

Domain Controller: dc.company.com:3268

Domain controller type: Windows 2008 R2

Domain Name: company.com

isGlobalCatalogReady: TRUE

domainFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)

forestFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)

domainControllerFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)

Forest Name: company.com

Retrieving zone data from company.com

Computer Account Diagnostics

Joined as: ise

Trusted for Delegation: false

Use DES Key Only: false

Key Version: 2

Service Principal Names: nfs/ise.company.com

nfs/ise

http/ise.company.com

http/ise

host/ise.company.com

host/ise

ftp/ise.company.com

ftp/ise

cifs/ise.company.com

cifs/ise

System Diagnostic

=======DNS Servers State==========

DNS Status: Up

=======DNS Server Info=======

Last Sweep: Thu Apr 11 23:20:23 2013

Fast Sweeps: 1

Deep Sweeps: 0

Okay Sweeps: 1

Failed Sweeps: 0

Cache Hits: 44

Cache Misses: 4

DNS Flushes: 0

=======DNS Server List=======

IP: 172.29.30.103

Status: Alive

udpSuccess: 16

tcpSuccess: 1

udpNoSuchName: 0

tcpNoSuchName: 0

udpTruncations: 0

tcpTruncations: 0

udpIOFailures: 0

tcpIOFailures: 0

udpTimeouts: 0

tcpTimeouts: 0

udpFailures: 0

tcpFailures: 0

udpServerFail: 0

tcpServerFail: 0

lastQueryTime: Fri Apr 12 08:25:24 2013

lastDnsCode: 0

Average Time: 0.000341087 seconds

IP: 172.29.30.237

Status: Alive

udpSuccess: 0

tcpSuccess: 0

udpNoSuchName: 0

tcpNoSuchName: 0

udpTruncations: 0

tcpTruncations: 0

udpIOFailures: 0

tcpIOFailures: 0

udpTimeouts: 0

tcpTimeouts: 0

udpFailures: 0

tcpFailures: 0

udpServerFail: 0

tcpServerFail: 0

lastQueryTime: Thu Jan 1 01:00:00 1970

lastDnsCode: 65535

Average Time: 0 seconds

=======DNS Cache contents==========

Hdc.company.com=>dc.company.com 172.29.30.103

S_kerberos._tcp.default-first-site-name._sites.company.com=>dc.company.com:88:100:0

S_kerberos._tcp.company.com=>dc.company.com:88:100:0

S_ldap._tcp.default-first-site-name._sites.company.com=>dc.company.com:389:100:0

========Domain info map========

DC=home,DC=local

CN = company.com

SID = S-1-5-21-2229097442-58476736-706075715

TRUST_ATTRS = 0x20

TRUST_DIRECTION = 3

TRUST_TYPE = 2

NTLM NAME = HOME

LOCAL FOREST = YES

===============Network State===================

Site Map

company.com=>default-first-site-name

Domain Map

company.com

dc:dc.company.com

gc:dc.company.com

forest:company.com

state:alive

swept:5 mins ago

Domain Controllers

dc.company.com (172.29.30.103)

pinged:5 mins ago

state:up

ping:0.000909 secs

forest:company.com

nbhost:dc

site:default-first-site-name

flags:WCTKLG

Blocked Services: None

===============DC Statistics===================

dc.company.com

Last Success:Fri Apr 12 08:25:04 2013

Last Failure:Thu Jan 1 01:00:00 1970

Successes:7

Failures:0

===================adagent internals===================

Binding Table

$=>dc.company.com(company.com) disconnected

company.com=>dc.company.com(company.com) connected

===================Property values===================

adclient.autoedit: true

adclient.autoedit.nss: false

adclient.autoedit.pam: false

adclient.cache.expires: 60

adclient.cache.expires.group: 86400

adclient.cache.expires.user: 60

adclient.cache.refresh: 15

adclient.clients.socket: /var/centrifydc/daemon

adclient.clients.socket2: /var/centrifydc/daemon2

adclient.clients.threads: 15

adclient.clients.threads.max: 30

adclient.force.salt.lookup: true

adclient.get.builtin.membership: true

adclient.hash.allow: no-one

adclient.ldap.timeout: 11

adclient.ldap.timeout.search: 14

adclient.server.try.max: 200

adclient.sntp.enabled: false

adclient.use.all.cpus: true

adclient.use.s4u: false

adclient.user.lookup.cn: false

adclient.user.lookup.display: false

adclient.watch.enabled: false

gp.disable.all: true

krb5.support.alt.identities: false

log: INFO

logger.facility.*: local6

logger.facility.adclient.audit: local6

logger.facility.adnisd: local6

logger.queue.size: 1024

lrpc.timeout: 30

nss.nobody.gid: 99

nss.nobody.group: nobody

nss.nobody.uid: 99

nss.nobody.user: nobody

nss.program.ignore: useradd,adduser,groupadd,addgroup,userdel,groupdel,usermod,groupmod,chfn,chsh,chpasswd,gpasswd,pwconv,pwunconv,grpconv,grpunconv,redhat-config-users

nss.shell.nologin: /sbin/nologin

pam.allow.override: root

pam.user.ignore: root

secedit.system.access.maximumpasswordage: 0

system.access.MinimumPasswordAge: 0

system.access.maximumpasswordage: -1

Total;Count;Average;Name

Centrify DirectControl Status

Running in connected mode

Licensed Features: Enabled

SELinux status: disabled

amavis1.1.0

ccs1.0.0

clamav1.1.0

dcc1.1.0

dnsmasq1.1.1

evolution1.1.0

ipsec1.4.0

iscsid1.0.0

milter1.0.0

mozilla1.1.0

mplayer1.1.0

nagios1.1.0

oddjob1.0.1

pcscd1.0.0

postgrey1.1.0

prelude1.0.0

pyzor1.1.0

qemu1.1.2

razor1.1.0

ricci1.0.0

smartmon1.1.0

spamassassin1.9.0

virt1.0.0

zosremote1.0.0

ISE with AD Integration, Group retrieval

Konrad Reszka — Wed, 12 Jun 2013 18:53:46 GMT

A little late to this party, but I recently had this problem too and there are multiple settings that must be in place for group retrieval to work.

DNS must be properly configured so the FQDN of ISE is resolved correctly. Remember to include the reverse lookup zone as well. Ensure that the name-server defined on the ISE CLI points to this DNS. In my case I had two other servers defined which did not have the proper entries but were responding to LDAP/AD queries so the group query failed before the correct DNS was ever contacted. Also be sure the domain name is configured correctly on the ISE CLI to match the domain you've joined.

topic ISE with AD Integration, Group retrieval in Network Access Control

ISE with AD Integration, Group retrieval

ISE with AD Integration, Group retrieval

ISE with AD Integration, Group retrieval

ISE with AD Integration, Group retrieval

Re: ISE with AD Integration, Group retrieval

ISE with AD Integration, Group retrieval