https://community.cisco.com/t5/network-access-control/ad-prob-incorrect-data/m-p/5065439#M588669 <P>Do you have the need for the AD probe?&nbsp; Why is it enabled to start with?&nbsp;&nbsp;</P> Wed, 10 Apr 2024 20:03:13 GMT ahollifield 2024-04-10T20:03:13Z https://community.cisco.com/t5/network-access-control/ad-prob-incorrect-data/m-p/5064942#M588668 <P>Hello,</P><P>I have ISE 3.1.0.518 patch 8. I have a problem that ISE is not fetching the correct attribute information for MacOS. My Macs are not joined to my Windows domain, but ISE finds AD attributes for my Mac but completely wrong. They detect that it is a Windows with another host name. I deleted the Endpoint Mac and bad data comes back. How to fix this?</P><P>Endpoint Profile: Apple-Device</P><P>AD-Operating System: Windows 10</P><P>AD-Fetch-Host-Name: wrong host name</P> Wed, 10 Apr 2024 15:55:50 GMT https://community.cisco.com/t5/network-access-control/ad-prob-incorrect-data/m-p/5064942#M588668 Sebastien Lagueux 2024-04-10T15:55:50Z https://community.cisco.com/t5/network-access-control/ad-prob-incorrect-data/m-p/5065439#M588669 <P>Do you have the need for the AD probe?&nbsp; Why is it enabled to start with?&nbsp;&nbsp;</P> Wed, 10 Apr 2024 20:03:13 GMT https://community.cisco.com/t5/network-access-control/ad-prob-incorrect-data/m-p/5065439#M588669 ahollifield 2024-04-10T20:03:13Z https://community.cisco.com/t5/network-access-control/ad-prob-incorrect-data/m-p/5066359#M588681 <P>The AD prod is activated to be able to make rules depending on which group or OU a computer finds itself in.<BR />But I think I found my problem. ISE relies on reverse DNS entry, and I notice that I have a problem at this level. My PTR entries do not match the DNS entries.</P> Thu, 11 Apr 2024 13:04:44 GMT https://community.cisco.com/t5/network-access-control/ad-prob-incorrect-data/m-p/5066359#M588681 Sebastien Lagueux 2024-04-11T13:04:44Z https://community.cisco.com/t5/network-access-control/ad-prob-incorrect-data/m-p/5066369#M588683 <P>Yeah without properly functioning reverse records you will see issues like this with the AD probe.&nbsp; I would argue active authentication based on machine certificates and looking up OU based on the derived machine name from the certificate is a much better approach for checking group/OU membership than relying on the AD probe.</P> Thu, 11 Apr 2024 13:19:20 GMT https://community.cisco.com/t5/network-access-control/ad-prob-incorrect-data/m-p/5066369#M588683 ahollifield 2024-04-11T13:19:20Z https://community.cisco.com/t5/network-access-control/ad-prob-incorrect-data/m-p/5066371#M588684 <P>Interesting, I'll look into that. Do you happen to have any documentation on this? I'm quite new to ISE. Thanks for your help</P> Thu, 11 Apr 2024 13:22:43 GMT https://community.cisco.com/t5/network-access-control/ad-prob-incorrect-data/m-p/5066371#M588684 Sebastien Lagueux 2024-04-11T13:22:43Z https://community.cisco.com/t5/network-access-control/ad-prob-incorrect-data/m-p/5066374#M588685 <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html#toc-hId-133117567" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html#toc-hId-133117567</A></P> <P>I would also suggest going through some ISE training to learn about authorization policy logic, etc.&nbsp; I would also suggest working with your Cisco Account SE and your preferred Cisco Partner of choice to also help with ISE deployment and policy creation.</P> Thu, 11 Apr 2024 13:28:06 GMT https://community.cisco.com/t5/network-access-control/ad-prob-incorrect-data/m-p/5066374#M588685 ahollifield 2024-04-11T13:28:06Z