Re: retrieve group membership info for the disabled account AD

anvolkov · ‎03-14-2016

hello team,

can you please help me if it's possible for ISE to retrieve the group membership information for the disabled account in AD?

As per documentation, EAP-TLS authentications checks if the user is disabled or locked out and the authentication fails if some of these conditions is met. Cisco ISE can retrieve user or machine groups from Active Directory after a successful authentication.

In our case, user is authenticated using the certificates, so in ISE reports we see the successful authentication event but unsuccessful authz (expected and the Customer is ok with it).

In ACS documentation it is said that it can retrieve group membership and attributes for the disabled account. Can ISE do something like that

hslai · ‎03-14-2016

This is likely changed due to ISE moved to the new AD connector implementation in ISE 1.3. I will unicast you the some relevant info. I would expect the same for ACS 5.8.

anvolkov · ‎03-14-2016

thank you very much for that. we have ISE 1.3, actually

anvolkov · ‎03-14-2016

an update for future reference - the Customer managed to retrieve the groups for disabled account using LDAP connector. it can be used as a workaround

hslai · ‎03-14-2016

Is it for reporting only? Anyhow, please continue on our direct email discussion and I will close this thread.