Solved: Re: ise ActiveDirectory expired account

tthurner · ‎11-14-2019

We have users with account's in different domains. We ask "meberOf" for vpn authorisation from one specific domain. Not all users login in at the domain where this memberOf are located . If the account out from the domain we doing "authorisation" is expired ISE will not give me the meberOf caused by "expired account"

Is there any chance to "tell" ISE to ignore "expired account" for memberOf requests ?

hslai · ‎11-20-2019

If the AD connection is defined as an Active Directory join point in ISE, why not using "Groups", instead of "memberOf"? If as an LDAP object, then why not as an Active Directory object?

The attribute "memberOf" does not include the primary group membership and also does not show membership from nested groups. Using "Groups" with the AD join points have no such limit.

I do not think it related to expired accounts.

View solution in original post

Jason Kunst · ‎11-19-2019

I am pretty sure its not possible but will ask @hslai see what she thinks

hslai · ‎11-20-2019

If the AD connection is defined as an Active Directory join point in ISE, why not using "Groups", instead of "memberOf"? If as an LDAP object, then why not as an Active Directory object?

The attribute "memberOf" does not include the primary group membership and also does not show membership from nested groups. Using "Groups" with the AD join points have no such limit.

I do not think it related to expired accounts.