cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1263
Views
2
Helpful
5
Replies

AD-GROUP-NAME limitation in ISE live log

Gagandeep Singh
Cisco Employee
Cisco Employee

Hi Team,

Customer running latest version ISE 2.3 where we have seen ISE live log shows only 4  AD-GROUP-NAMES in report. Though if you test the same user from External identity store using "test user" option. ISE fetches lots of groups.

Concern we have, if we use another group as a condition not listed in live-log. Will it work.

If yes, it's not working in client provisioning policy due which customer unable to get right policy being hit.

In ACS, I remember it shows all related groups in authentication result.

Any help would be appreciated.

Regards

Gagan

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

An AD external group not shown in the previous auth detail reports should work as a condition for ISE NA authorization policy evaluations. As to client provisioning, it's a known limitation that the AD group conditions need to the one(s) used in NA authorization policy or they would not be present in the session cache.

As to ISE livelogs, there are pros and cons for either way. I personally prefer a shorter list as it's very common a corp user belongs to hundreds of groups.

View solution in original post

5 Replies 5

hslai
Cisco Employee
Cisco Employee

An AD external group not shown in the previous auth detail reports should work as a condition for ISE NA authorization policy evaluations. As to client provisioning, it's a known limitation that the AD group conditions need to the one(s) used in NA authorization policy or they would not be present in the session cache.

As to ISE livelogs, there are pros and cons for either way. I personally prefer a shorter list as it's very common a corp user belongs to hundreds of groups.

Hi Hsing,

Appreciate your response as always .

Need more clarification in the client provision policy in terms of AD groups. If live log contains 4 AD groups and if we use different AD group as a condition in CP policy. Though user is part of those 4 AD groups and the one used in CP policy.

CPP policy selection are retrieved from authentication session as mentioned so in that case only 4 AD groups listed in

live log authentication should only work.

Will this scenario works.

Regards

Gagan

The AD external groups are added to the session cache during the evaluation of ISE authorization policy. Thus, only those gone through this evaluation will work as AD-external-group conditions in ISE Client Provisioning policy.

Hi Hsing,

Appreciate your response.

So if have 4 AD groups listed then we can only use those groups in CP policy as discussed. Only 4 AD groups are added to the session ID.

If this is the case, we need to file a bug on ISE only using 4 AD groups at a time. Could be possible there is an existing bug on this.

Regards

Gagan

If not already documented in our ISE admin guide, please open a doc bug on this.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: