cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

120
Views
0
Helpful
2
Replies
Beginner

ise ActiveDirectory expired account

We have users with account's in different domains. We ask "meberOf" for vpn authorisation from one specific domain. Not all users login in at the domain where this memberOf are located . If the account out from the domain we doing "authorisation" is expired ISE will not give me the meberOf caused by "expired account"

Is there any chance to "tell" ISE to ignore "expired account" for memberOf requests ?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ise ActiveDirectory expired account

If the AD connection is defined as an Active Directory join point in ISE, why not using "Groups", instead of "memberOf"? If as an LDAP object, then why not as an Active Directory object?

The attribute "memberOf" does not include the primary group membership and also does not show membership from nested groups. Using "Groups" with the AD join points have no such limit.

I do not think it related to expired accounts.

View solution in original post

2 REPLIES 2
Cisco Employee

Re: ise ActiveDirectory expired account

I am pretty sure its not possible but will ask @hslai  see what she thinks

Cisco Employee

Re: ise ActiveDirectory expired account

If the AD connection is defined as an Active Directory join point in ISE, why not using "Groups", instead of "memberOf"? If as an LDAP object, then why not as an Active Directory object?

The attribute "memberOf" does not include the primary group membership and also does not show membership from nested groups. Using "Groups" with the AD join points have no such limit.

I do not think it related to expired accounts.

View solution in original post