https://community.cisco.com/t5/network-access-control/unable-to-access-sponsor-portal-with-ldap-as-a-external-identity/m-p/4117105#M561648 <P>One main difference between LDAP and AD or ISE internal user is&nbsp;ISE is not supporting nested LDAP group memberships.</P> <P>Please ensure the user is a direct member of the LDAP group, which mapping to an ISE sponsor group.<BR /><BR /></P> Sat, 11 Jul 2020 23:06:10 GMT hslai 2020-07-11T23:06:10Z https://community.cisco.com/t5/network-access-control/unable-to-access-sponsor-portal-with-ldap-as-a-external-identity/m-p/4117097#M561644 <P>Hello Team,</P><P>&nbsp;</P><P>Need your help.</P><P>&nbsp;</P><P>Unable to access Sponsor portal with LDAP credentials.</P><P>configuration is correct. sponsor portal is working for AD &amp; internal users but not for LDAP users&nbsp;</P><P>&nbsp;</P><P>Can anyone please help ??</P><P>&nbsp;</P><P>Thanks in advanced.</P> Sat, 11 Jul 2020 21:43:02 GMT https://community.cisco.com/t5/network-access-control/unable-to-access-sponsor-portal-with-ldap-as-a-external-identity/m-p/4117097#M561644 siddhesh.parab@orange.com1 2020-07-11T21:43:02Z https://community.cisco.com/t5/network-access-control/unable-to-access-sponsor-portal-with-ldap-as-a-external-identity/m-p/4117105#M561648 <P>One main difference between LDAP and AD or ISE internal user is&nbsp;ISE is not supporting nested LDAP group memberships.</P> <P>Please ensure the user is a direct member of the LDAP group, which mapping to an ISE sponsor group.<BR /><BR /></P> Sat, 11 Jul 2020 23:06:10 GMT https://community.cisco.com/t5/network-access-control/unable-to-access-sponsor-portal-with-ldap-as-a-external-identity/m-p/4117105#M561648 hslai 2020-07-11T23:06:10Z https://community.cisco.com/t5/network-access-control/unable-to-access-sponsor-portal-with-ldap-as-a-external-identity/m-p/4117157#M561651 <P>&nbsp;</P><P>Thanks for information.</P><P>Could you suggest where i will get those setting in LDAP server ??</P> Sun, 12 Jul 2020 07:03:00 GMT https://community.cisco.com/t5/network-access-control/unable-to-access-sponsor-portal-with-ldap-as-a-external-identity/m-p/4117157#M561651 siddhesh.parab@orange.com1 2020-07-12T07:03:00Z https://community.cisco.com/t5/network-access-control/unable-to-access-sponsor-portal-with-ldap-as-a-external-identity/m-p/4120910#M561770 <P>I occasionally dabble in a bit of LDAP and I am always chuffed when things work. It's quite a complex thing to deal with and we are spoilt when dealing with AD (which hides all that LDAP stuff under the hood).</P> <P>One tool I can recommend is <A href="https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer" target="_self">AD Explorer from Microsoft SysInternals</A></P> <P>Use this tool to bind to your LDAP/AD directory to see where things live and what attributes they have. I had to use this recently to figure out why things were failing when I switched my ISE AuthZ Condition from AD to LDAP and it kept failing.&nbsp;</P> <P>&nbsp;</P> <P>In my example below I was checking whether a user was a member of the AD Security Group called "ise-readonly". I could do it in two ways. In the first case I assigned the AD user's primary group to be "ise-readonly" which is something you probably can't always rely on. But in the second case, I managed to match the user's group membership by importing that group name from LDAP, and then using it in the AuthZ. The trick with the "memberOf" was that my LDAP setup config was not right to start with, and ISE was failing to read the LDAP Group table from AD.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ldap-lab.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/79343i31D2BBD23407F54B/image-size/large?v=v2&amp;px=999" role="button" title="ldap-lab.PNG" alt="ldap-lab.PNG" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="lda-setup.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/79344i363D98ED74B80216/image-size/large?v=v2&amp;px=999" role="button" title="lda-setup.PNG" alt="lda-setup.PNG" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ldap-attr.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/79345iD3E089F13B832DCC/image-size/large?v=v2&amp;px=999" role="button" title="ldap-attr.PNG" alt="ldap-attr.PNG" /></span></P> Fri, 17 Jul 2020 23:07:42 GMT https://community.cisco.com/t5/network-access-control/unable-to-access-sponsor-portal-with-ldap-as-a-external-identity/m-p/4120910#M561770 Arne Bier 2020-07-17T23:07:42Z