cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

189
Views
10
Helpful
6
Replies

How to add more AD attributes to the live logs

Hello,

Please suggest how to add more AD attributes to the radius live logs. We use ISE 2.3 for 802.1x authentication thru ActiveDirectory. Earlier I saw a lot of AD attributes in the live logs, for example "memberOf" fields, and they helped a lot to tune policy sets. But then something happened and now logs show only short set of attributes. 

 

Is there any documentation on how to get and use all available attributes from ActiveDirectory?

 

Thank you in advance

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Re: How to add more AD attributes to the live logs

Hello Aleksandr, 

 

now the attributes are retrieved from AD, what i can advice you to do is the below:

 

go to administration > external identity source > active directory 

click on the join point, there is section called attributes, 

click on it then select retrieve  attributes from active directory.

put any user and click on retrieve it will collect all the available attributes, add what you need then you can use it in policy set.

 

 

 

 

Cisco Employee

Re: How to add more AD attributes to the live logs

did you use them in condition ? or you just want to see them on logs ? we dont usually control the logs only collection filter but part of the report we dont,

 

in case of difficulties on this matter as suggested tac case will be good, however if you want to see what we retrieve for specific user.

 

go to AD tap and test the user there for lookup there will attribute section it will contain everything

 

6 REPLIES 6
Cisco Employee

Re: How to add more AD attributes to the live logs

What Authentication method are you using?

Can you send a snap shot of the attributes you are seeing and name or show the attributes you are not seeing.

Re: How to add more AD attributes to the live logs

Hello @ldanny Thank you for response.

We use dot1x Authentication method. I want to see "memberOf" attribute in the Radios Live Logs but it is absent here.

 

ise1.pngise2.png

Highlighted
Cisco Employee

Re: How to add more AD attributes to the live logs

Hello Aleksandr, 

 

now the attributes are retrieved from AD, what i can advice you to do is the below:

 

go to administration > external identity source > active directory 

click on the join point, there is section called attributes, 

click on it then select retrieve  attributes from active directory.

put any user and click on retrieve it will collect all the available attributes, add what you need then you can use it in policy set.

 

 

 

 

Re: How to add more AD attributes to the live logs

Hello @yalbikaw Thank you for response and valuable information. I did not know how to manage attributes. 

I selected all attributes I want to see in the logs but they still not included in the live log.

ise0.png

Cisco Employee

Re: How to add more AD attributes to the live logs

If your not seeing the attribute after adding it from AD I suggest you contact TAC for further troubleshooting

 

 

Cisco Employee

Re: How to add more AD attributes to the live logs

did you use them in condition ? or you just want to see them on logs ? we dont usually control the logs only collection filter but part of the report we dont,

 

in case of difficulties on this matter as suggested tac case will be good, however if you want to see what we retrieve for specific user.

 

go to AD tap and test the user there for lookup there will attribute section it will contain everything