https://community.cisco.com/t5/network-access-control/ise-2-7-not-fetching-ad-groups-name-attribute-from-active/m-p/4831435#M581608 <P>From a AD permissions perspective, group matching issues can be caused by the ISE machine account not having the permission to read tokenGroups. See the following document for the required AD permissions.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_F19556CAD5C949B58DF89334E2C6255D" target="_blank" rel="noopener">Active Directory Integration with Cisco ISE 2.x</A></P> <P>There are also bug fixes related to AD Group matching in various patches for ISE 2.7 and you did not specify what patch level you have installed. If you are not using the latest patch for 2.7 (currently patch 9), then you should start by updating to the latest patch.</P> Tue, 09 May 2023 00:46:10 GMT Greg Gibbs 2023-05-09T00:46:10Z https://community.cisco.com/t5/network-access-control/ise-2-7-not-fetching-ad-groups-name-attribute-from-active/m-p/4831419#M581605 <P>Hello Guys,</P> <P>I´m doing an eap chaining lab using ISE 2.7 and Windows Server 2016. Almost everything is working fine but I´m stuck in this "problem". I want to create Authz rules based on AD Security Groups but during a user authentication, ISE for some reason don´t retrieve the AD Groups in which the user belongs to, So the Authz fail and the authentication is denied.</P> <P>Have you guys ever seen this behavior? What can it be?</P> Mon, 08 May 2023 23:23:08 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-not-fetching-ad-groups-name-attribute-from-active/m-p/4831419#M581605 Isildur 2023-05-08T23:23:08Z https://community.cisco.com/t5/network-access-control/ise-2-7-not-fetching-ad-groups-name-attribute-from-active/m-p/4831433#M581607 <P>Perform a test user authentication from ISE GUI. Under External identity Stores &gt; Select Active Directory Join point name &gt; Click Test user and check if you are able to fetch user attribute normally or not. If not, it may be a permission issue on AD.</P> Tue, 09 May 2023 00:31:07 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-not-fetching-ad-groups-name-attribute-from-active/m-p/4831433#M581607 poongarg 2023-05-09T00:31:07Z https://community.cisco.com/t5/network-access-control/ise-2-7-not-fetching-ad-groups-name-attribute-from-active/m-p/4831435#M581608 <P>From a AD permissions perspective, group matching issues can be caused by the ISE machine account not having the permission to read tokenGroups. See the following document for the required AD permissions.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_F19556CAD5C949B58DF89334E2C6255D" target="_blank" rel="noopener">Active Directory Integration with Cisco ISE 2.x</A></P> <P>There are also bug fixes related to AD Group matching in various patches for ISE 2.7 and you did not specify what patch level you have installed. If you are not using the latest patch for 2.7 (currently patch 9), then you should start by updating to the latest patch.</P> Tue, 09 May 2023 00:46:10 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-not-fetching-ad-groups-name-attribute-from-active/m-p/4831435#M581608 Greg Gibbs 2023-05-09T00:46:10Z https://community.cisco.com/t5/network-access-control/ise-2-7-not-fetching-ad-groups-name-attribute-from-active/m-p/4833723#M581699 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1435125">@Isildur</a>&nbsp;- perhaps you're running <A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc47015" target="_self">into this defect&nbsp;<SPAN>CSCvz85074</SPAN></A> that also affects ISE 2.7</P> Thu, 11 May 2023 20:48:16 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-not-fetching-ad-groups-name-attribute-from-active/m-p/4833723#M581699 Arne Bier 2023-05-11T20:48:16Z https://community.cisco.com/t5/network-access-control/ise-2-7-not-fetching-ad-groups-name-attribute-from-active/m-p/4834558#M581726 <P>I was using ISE 2.7 with no patch and the problem was resolved after I updated to the last patch.</P> <P>Thank you very much guys!!</P> Fri, 12 May 2023 20:26:33 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-not-fetching-ad-groups-name-attribute-from-active/m-p/4834558#M581726 Isildur 2023-05-12T20:26:33Z