topic Re: Cisco ISE AD probe in Network Access Control

Cisco ISE AD probe

edondurguti — Mon, 20 Feb 2017 18:41:26 GMT

Hi,

I'm trying to profile corporate assets without doing any kind of posturing.

Was excited about the Active Directory probe but I've hit some limitations. According to some documts the to trigger the active directory probe, ISE must get the host-name attribute, so far the only way to get the host-name attribute is via DHCP.

Looks simple if using WLC or dot1x for wireless/wired users.

Here's an example for wireless:

Configure ISE 2.1 Profiling Services Based on AD Probe - Cisco

My case is for VPN only, I've tried to configure DHCP on the ASA for anyconnect users but that didn't help, ASA proxies the DHCP request packets.

I was hoping DNS would provide the 'host-name' attribute but looks like DNS provides FQDN instead and that doesn't seem to trigger the AD connector runtime, I do have PTR records for my VPN users.

Any ideas anyone?

Thanks

Re: Cisco ISE AD probe

Timothy Abbott — Thu, 23 Feb 2017 18:31:21 GMT

Hi Edon,

As you stated, the AD probe is reliant on getting the host name attribute. There are a few ways to do this: DHCP, NMAP and DNS. A FQDN will also trigger the AD probe. Be sure that you have those probes enabled so that AD probe can be triggered. If you do have those probes enabled, please open a TAC case for further assistance.

Regards,

-Tim

Re: Cisco ISE AD probe

edondurguti — Sun, 26 Feb 2017 22:02:02 GMT

HI. I have the probes configured but AD fetch is not triggered after receiving the fqdn from the dns. I see that the fqdn is successfuly learned via dns. I have a case w tac.

Re: Cisco ISE AD probe

edondurguti — Fri, 21 Jul 2017 02:13:14 GMT

opened: CSCve59881 - dns will not trigger AD probe.

Re: Cisco ISE AD probe

DannyDulin — Fri, 11 Aug 2023 20:55:12 GMT

How do you see the fqdn successfully learned from dns?