Yes Test User works fine shows all the groups.

Ill re-check this but yes. I ire-mported manually all the groups from AD as part of troubleshooting. I will do a few test case rules before I open a TAC case just thought id ask here in case it was a known issue. Thanks!

can you change from "ExternalGroups-EQUALS-XXXXXX " to "ExternalGroups-CONTAINS-XXXXXX "  & try

Regards

yes basically the same thing happened with ISE. Appeared to be a formatting/syntax issue etc.

I've asked our engineering team to take a look. Do you have a reliable procedure to recreate this? Has this been always happening with some particular version of ACS (e.g. 5.5) as the source? Both ISE 2.0+ and ACS 5.8+ would be storing SIDs of the groups. Were you getting warnings or errors if clicking on the button [ Update SID Values ]?

I did run the check SIDs and those all either updated or were ok. I didnt write down the response from the server when I clicked it.  However  even after doing so  the problem was there. I ran the current  migration utility from ACS 5.6 to ISE 2.2 to import the users,, devices, and policies. They all looked  ok visually but no  AD matching External Groups policies were matching rules on authorization. After some frustration I deleted all the  AD Groups, re-imported them manually, and manually reassigned them to each policy afterward and then they worked correctly. Thanks!

I can confirm that this is still an issue. I have used the migration tool to migrate from ACS 5.8.0.32.9 to ISE 2.4.0.357 and all my rules and object have been successfully migrated, no warnings and no errors. After the migration tool completed, I joined the AD domain successfully and all the groups I am using in Policy Sets were successfully pulled but they needed the SID update. I ran it and it was also successful however when I tried to save the updated SIDs I got an error message that it cannot be done because the groups are used in the policy sets. I had to remove the AD Group matching rule from each of my policies and only then did ISE allow me to save the updated SID values. Once I saved them and re-added the AD Group match to each policy set rule, Conditions started being matched by ISE.

So to sum up the issue, you need to update SIDs for the ACS migrated conditions for them to match but you cannot update SIDs if any of the groups are used in a policy match condition which of course they are. This needs fixing since it creates major extra work for admins to delete than re-add all AD match conditions to all policy sets configured.

As I have said on other posts, the moral of this story is don't use the ACS to ISE migration utility.  Unless you are completely new to ISE and ACS, manually migrating from ACS to ISE is pretty quick and you have total control of the process vs. pushing a button on some utility and hoping it works and living with the object names and policy setup it comes up with.

I do not agree with you on this. The migration tool is super helpful to migrate large amounts of settings, and policy rules. If all you have is 5-10 rules and a couple policies, manually re-creating them is not a big issue but think of several policies with dozens if not hundreds of complex rules in them. Re-creating them from scratch is a huge effort and is extremely error-prone. The right thing to do is fix the migration tool since other than this small glitch, it works really well and speeds up the deployment of a new ISE deployment from several days to several hours with minimal risk of lost or misconfigured policy rules.