https://community.cisco.com/t5/network-access-control/ise-ad-attribute-not-pulling/m-p/3482178#M499415 <HTML><HEAD></HEAD><BODY><P>Yes, MS permissions can be set per object. Thus, ISE might not have the same permissions to users in the same domain and same groups.</P></BODY></HTML> Fri, 08 Jun 2018 13:23:49 GMT hslai 2018-06-08T13:23:49Z https://community.cisco.com/t5/network-access-control/ise-ad-attribute-not-pulling/m-p/3482175#M499412 <HTML><HEAD></HEAD><BODY><P>I have a Policy set for Anyconnect Via RADIUS, which looks at the Dial-in attribute for AD. for some reason this is only being pulled for some users and not others. All the user are under the same Domain.</P><P></P><P></P><P>Any thoughts? </P><P></P><P>Thanks, </P></BODY></HTML> Wed, 06 Jun 2018 19:09:23 GMT https://community.cisco.com/t5/network-access-control/ise-ad-attribute-not-pulling/m-p/3482175#M499412 Jordan Taylor 2018-06-06T19:09:23Z https://community.cisco.com/t5/network-access-control/ise-ad-attribute-not-pulling/m-p/3482176#M499413 <HTML><HEAD></HEAD><BODY><P>It seems the ISE computer account in AD not having read permissions for such attribute in some particular AD user objects.</P><P>You might want to try allowing "Read All Properties" for ISE. If that not possible, then</P><BLOCKQUOTE><TABLE border="1"><TBODY><TR><TD><SPAN style="color: #1f497d; font-family: Calibri, sans-serif; font-size: 15px;">use auditing to see what permissions you need (by looking at what accesses fail in the audit log).&nbsp; Repeat until it all seems to work.</SPAN></TD></TR></TBODY></TABLE></BLOCKQUOTE><BLOCKQUOTE><TABLE border="1"><TBODY><TR><TD> <P style="color: #000000; font-size: 11pt; font-family: Calibri, sans-serif;"><SPAN style="font-size: 11pt;"> </SPAN><SPAN style="font-family: 'Segoe UI', sans-serif; font-size: 10pt;">References:</SPAN></P> <P style="color: #000000; font-size: 11pt; font-family: Calibri, sans-serif;"><SPAN lang="EN-US" style="font-size: 10pt; font-family: 'Segoe UI', sans-serif;"><A href="https://msdn.microsoft.com/en-us/library/aa706028(v=vs.85).aspx" style="color: purple; text-decoration: underline;">How Access Control Works in Active Directory Domain Services</A></SPAN></P> <P style="color: #000000; font-size: 11pt; font-family: Calibri, sans-serif;"><SPAN lang="EN-US" style="font-size: 10pt; font-family: 'Segoe UI', sans-serif;"><A href="https://msdn.microsoft.com/en-us/library/ms675745(v=vs.85).aspx" style="color: purple; text-decoration: underline;">Controlling Access to Objects and Their Properties</A></SPAN></P> <P style="color: #000000; font-size: 11pt; font-family: Calibri, sans-serif;"><SPAN lang="EN-US" style="font-size: 10pt; font-family: 'Segoe UI', sans-serif;"><A href="https://msdn.microsoft.com/en-us/library/ms677958(v=vs.85).aspx" style="color: purple; text-decoration: underline;">Setting Rights to Specific Types of Objects</A></SPAN></P> <P style="color: #000000; font-size: 11pt; font-family: Calibri, sans-serif;"><SPAN lang="EN-US" style="font-size: 10pt; font-family: 'Segoe UI', sans-serif;"><A href="https://msdn.microsoft.com/en-us/library/ms677957(v=vs.85).aspx" style="color: purple; text-decoration: underline;">Setting Rights to Specific Properties of Specific Types of Objects</A></SPAN></P> </TD></TR></TBODY></TABLE></BLOCKQUOTE></BODY></HTML> Wed, 06 Jun 2018 23:34:13 GMT https://community.cisco.com/t5/network-access-control/ise-ad-attribute-not-pulling/m-p/3482176#M499413 hslai 2018-06-06T23:34:13Z https://community.cisco.com/t5/network-access-control/ise-ad-attribute-not-pulling/m-p/3482177#M499414 <HTML><HEAD></HEAD><BODY><P>Would this still apply when I can pull the attribute need from some users over others? And these users are in the same Domain same groups. and I still get the same behavior.</P><P></P><P>Thanks,&nbsp;&nbsp; </P></BODY></HTML> Fri, 08 Jun 2018 13:13:38 GMT https://community.cisco.com/t5/network-access-control/ise-ad-attribute-not-pulling/m-p/3482177#M499414 Jordan Taylor 2018-06-08T13:13:38Z https://community.cisco.com/t5/network-access-control/ise-ad-attribute-not-pulling/m-p/3482178#M499415 <HTML><HEAD></HEAD><BODY><P>Yes, MS permissions can be set per object. Thus, ISE might not have the same permissions to users in the same domain and same groups.</P></BODY></HTML> Fri, 08 Jun 2018 13:23:49 GMT https://community.cisco.com/t5/network-access-control/ise-ad-attribute-not-pulling/m-p/3482178#M499415 hslai 2018-06-08T13:23:49Z https://community.cisco.com/t5/network-access-control/ise-ad-attribute-not-pulling/m-p/3482179#M499416 <HTML><HEAD></HEAD><BODY><P>Thanks, are there any best practice pages on Active Directory architecture. </P><P></P><P>Found this one. </P><P></P><P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html#task_E34DC84405014271B33F6D4E455A441D" title="https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html#task_E34DC84405014271B33F6D4E455A441D">https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html#tas…</A></P></BODY></HTML> Sat, 09 Jun 2018 03:48:50 GMT https://community.cisco.com/t5/network-access-control/ise-ad-attribute-not-pulling/m-p/3482179#M499416 Jordan Taylor 2018-06-09T03:48:50Z