cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1893
Views
0
Helpful
4
Replies

ISE AD Attribute Not Pulling.

Jordan Taylor
Level 1
Level 1

I have a Policy set for Anyconnect Via RADIUS, which looks at the Dial-in attribute for AD. for some reason this is only being pulled for some users and not others. All the user are under the same Domain.

Any thoughts?

Thanks,

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

It seems the ISE computer account in AD not having read permissions for such attribute in some particular AD user objects.

You might want to try allowing "Read All Properties" for ISE. If that not possible, then

use auditing to see what permissions you need (by looking at what accesses fail in the audit log).  Repeat until it all seems to work.

References:

How Access Control Works in Active Directory Domain Services

Controlling Access to Objects and Their Properties

Setting Rights to Specific Types of Objects

Setting Rights to Specific Properties of Specific Types of Objects

View solution in original post

4 Replies 4

hslai
Cisco Employee
Cisco Employee

It seems the ISE computer account in AD not having read permissions for such attribute in some particular AD user objects.

You might want to try allowing "Read All Properties" for ISE. If that not possible, then

use auditing to see what permissions you need (by looking at what accesses fail in the audit log).  Repeat until it all seems to work.

References:

How Access Control Works in Active Directory Domain Services

Controlling Access to Objects and Their Properties

Setting Rights to Specific Types of Objects

Setting Rights to Specific Properties of Specific Types of Objects

Would this still apply when I can pull the attribute need from some users over others? And these users are in the same Domain same groups. and I still get the same behavior.

Thanks,  

Yes, MS permissions can be set per object. Thus, ISE might not have the same permissions to users in the same domain and same groups.

Thanks, are there any best practice pages on Active Directory architecture.

Found this one.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html#tas…

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: