topic You're welcome. in Network Access Control

ISE not seeing deep enough into AD structure

Mon, 11 Mar 2019 07:45:49 GMT

Hi all; I have no experience with ISE but am trying to help out some folks who are using the tool.

They are trying to pull info out of AD in our heavily nested structure, but can't see further than SIX levels deep. We have end-user machines in OUs that are EIGHT deep. Here it is, with some of the names changed for privacy reasons

OU=Windows10,OU=Client Devices,OU=xx.yyy.zzz,OU=Infrastructure Services,DC=PROD,DC=aaa,DC=bbb,DC=GOV

The folks using the tool report they can only see to the "OU=xx.yyy.zzz" level - they can't see "OU=Client Devices" or "OU=Windows10".

The error they are getting:

Could not find SID for group: '<hidden>/Infrastructure Services/<hidden>/Client Devices/Windows10'. Specific error is: 'The group name is invalid'.

Mark Elsen — Fri, 02 Jun 2017 15:30:46 GMT

- Please re-post in Security -> AAA Identity and NAC

Done.

Fri, 02 Jun 2017 17:53:56 GMT

Done.

What version of ISE are you

Marvin Rhoads — Sat, 03 Jun 2017 08:24:58 GMT

What version of ISE are you using? In 2.0 and later you can specify the OU and join point explicitly.

Reference:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html#ID612

Thanks Marvin; not sure, I'm

Sat, 03 Jun 2017 18:18:22 GMT

Thanks Marvin; not sure, I'm the middleman. I will ask them first thing Monday morning.

But, do you know if versions PRIOR to 2.0 had a limitation insofar as how many levels deep they can query down into?

Thanks again...

You're welcome.

Marvin Rhoads — Sun, 04 Jun 2017 03:24:58 GMT

You're welcome.

Yes I believe it did.

However ISE1.x is getting quite old. 1.4 was released over 2 years ago and many many improvements have been made since then. The whole AD connector and related serviceability features was revamped in 2.x. Anybody using that feature in any robust sense would be well-served to migrate to the current release (2.2 patch 1).