Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1577
Views
2
Helpful
5
Replies

AD-GROUP-NAME limitation in ISE live log

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee

‎12-05-2017 03:51 PM

Hi Team,

Customer running latest version ISE 2.3 where we have seen ISE live log shows only 4  AD-GROUP-NAMES in report. Though if you test the same user from External identity store using "test user" option. ISE fetches lots of groups.

Concern we have, if we use another group as a condition not listed in live-log. Will it work.

If yes, it's not working in client provisioning policy due which customer unable to get right policy being hit.

In ACS, I remember it shows all related groups in authentication result.

Any help would be appreciated.

Regards

Gagan

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-05-2017 05:50 PM

An AD external group not shown in the previous auth detail reports should work as a condition for ISE NA authorization policy evaluations. As to client provisioning, it's a known limitation that the AD group conditions need to the one(s) used in NA authorization policy or they would not be present in the session cache.

As to ISE livelogs, there are pros and cons for either way. I personally prefer a shorter list as it's very common a corp user belongs to hundreds of groups.

View solution in original post

5 Replies 5

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-05-2017 05:50 PM

An AD external group not shown in the previous auth detail reports should work as a condition for ISE NA authorization policy evaluations. As to client provisioning, it's a known limitation that the AD group conditions need to the one(s) used in NA authorization policy or they would not be present in the session cache.

As to ISE livelogs, there are pros and cons for either way. I personally prefer a shorter list as it's very common a corp user belongs to hundreds of groups.

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee
In response to hslai

‎12-06-2017 07:12 AM

Hi Hsing,

Appreciate your response as always .

Need more clarification in the client provision policy in terms of AD groups. If live log contains 4 AD groups and if we use different AD group as a condition in CP policy. Though user is part of those 4 AD groups and the one used in CP policy.

CPP policy selection are retrieved from authentication session as mentioned so in that case only 4 AD groups listed in

live log authentication should only work.

Will this scenario works.

Regards

Gagan

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Gagandeep Singh

‎12-06-2017 08:14 AM

The AD external groups are added to the session cache during the evaluation of ISE authorization policy. Thus, only those gone through this evaluation will work as AD-external-group conditions in ISE Client Provisioning policy.

0 Helpful

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee
In response to hslai

‎12-06-2017 09:11 AM

Hi Hsing,

Appreciate your response.

So if have 4 AD groups listed then we can only use those groups in CP policy as discussed. Only 4 AD groups are added to the session ID.

If this is the case, we need to file a bug on ISE only using 4 AD groups at a time. Could be possible there is an existing bug on this.

Regards

Gagan

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Gagandeep Singh

‎12-06-2017 09:15 AM

If not already documented in our ISE admin guide, please open a doc bug on this.

0 Helpful
Customers Also Viewed These Support Documents