https://community.cisco.com/t5/network-access-control/sync-ise-local-user-groups-with-external-groups-via-ldap/m-p/3760657#M487310 <P>Hi all,</P> <P>got the following request from one of my customers: They want to use ISE for device administration and want to do authentication as well as authorization based on group membership local on ISE. The users are also stored within AD, and of course they are also a member of a certain groups within AD. AD is attached to ISE via LDAP.</P> <P>Now they would like ISE to synchronize group membership between LDAP and ISE, which means, if a group membership in LDAP is changed, ISE should reflect this change in the local database as well.</P> <P>The reason why they want to do it this way is to be independent from Active Directory availability. If AD is not reachable, proper authentication/authorization still should happen.</P> <P>Is there someone out there already doing this? Of so, how?</P> <P>Any comment is welcome.</P> <P>Roland</P> Mon, 10 Dec 2018 16:24:26 GMT rmueller@cisco.com 2018-12-10T16:24:26Z https://community.cisco.com/t5/network-access-control/sync-ise-local-user-groups-with-external-groups-via-ldap/m-p/3760657#M487310 <P>Hi all,</P> <P>got the following request from one of my customers: They want to use ISE for device administration and want to do authentication as well as authorization based on group membership local on ISE. The users are also stored within AD, and of course they are also a member of a certain groups within AD. AD is attached to ISE via LDAP.</P> <P>Now they would like ISE to synchronize group membership between LDAP and ISE, which means, if a group membership in LDAP is changed, ISE should reflect this change in the local database as well.</P> <P>The reason why they want to do it this way is to be independent from Active Directory availability. If AD is not reachable, proper authentication/authorization still should happen.</P> <P>Is there someone out there already doing this? Of so, how?</P> <P>Any comment is welcome.</P> <P>Roland</P> Mon, 10 Dec 2018 16:24:26 GMT https://community.cisco.com/t5/network-access-control/sync-ise-local-user-groups-with-external-groups-via-ldap/m-p/3760657#M487310 rmueller@cisco.com 2018-12-10T16:24:26Z https://community.cisco.com/t5/network-access-control/sync-ise-local-user-groups-with-external-groups-via-ldap/m-p/3760704#M487311 No, there is no option as such on the ISE to synchronize group membership. Mon, 10 Dec 2018 17:14:46 GMT https://community.cisco.com/t5/network-access-control/sync-ise-local-user-groups-with-external-groups-via-ldap/m-p/3760704#M487311 Surendra 2018-12-10T17:14:46Z https://community.cisco.com/t5/network-access-control/sync-ise-local-user-groups-with-external-groups-via-ldap/m-p/3760748#M487313 <P>I might be wrong here, but ACS had a feature that would allow to shadow the AD user credentials and create a local copy on ACS in case the AD connection was unavailable.&nbsp; That doesn't exist in ISE either.</P> <P>I guess the onus is on the AD infrastructure to be 100% available <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>&nbsp;</P> Mon, 10 Dec 2018 19:14:37 GMT https://community.cisco.com/t5/network-access-control/sync-ise-local-user-groups-with-external-groups-via-ldap/m-p/3760748#M487313 Arne Bier 2018-12-10T19:14:37Z