Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
380
Views
1
Helpful
5
Replies

AD prob incorrect data

Go to solution
Sebastien Lagueux
Level 1
Level 1

‎04-10-2024 08:55 AM

Hello,

I have ISE 3.1.0.518 patch 8. I have a problem that ISE is not fetching the correct attribute information for MacOS. My Macs are not joined to my Windows domain, but ISE finds AD attributes for my Mac but completely wrong. They detect that it is a Windows with another host name. I deleted the Endpoint Mac and bad data comes back. How to fix this?

Endpoint Profile: Apple-Device

AD-Operating System: Windows 10

AD-Fetch-Host-Name: wrong host name

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sebastien Lagueux
Level 1
Level 1
In response to ahollifield

‎04-11-2024 06:04 AM - edited ‎04-11-2024 06:04 AM

The AD prod is activated to be able to make rules depending on which group or OU a computer finds itself in.
But I think I found my problem. ISE relies on reverse DNS entry, and I notice that I have a problem at this level. My PTR entries do not match the DNS entries.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
ahollifield
VIP
VIP

‎04-10-2024 01:03 PM

Do you have the need for the AD probe?  Why is it enabled to start with?  

0 Helpful

Go to solution
Sebastien Lagueux
Level 1
Level 1
In response to ahollifield

‎04-11-2024 06:04 AM - edited ‎04-11-2024 06:04 AM

The AD prod is activated to be able to make rules depending on which group or OU a computer finds itself in.
But I think I found my problem. ISE relies on reverse DNS entry, and I notice that I have a problem at this level. My PTR entries do not match the DNS entries.

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to Sebastien Lagueux

‎04-11-2024 06:19 AM

Yeah without properly functioning reverse records you will see issues like this with the AD probe.  I would argue active authentication based on machine certificates and looking up OU based on the derived machine name from the certificate is a much better approach for checking group/OU membership than relying on the AD probe.

0 Helpful

Go to solution
Sebastien Lagueux
Level 1
Level 1
In response to ahollifield

‎04-11-2024 06:22 AM - edited ‎04-11-2024 06:22 AM

Interesting, I'll look into that. Do you happen to have any documentation on this? I'm quite new to ISE. Thanks for your help

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to Sebastien Lagueux

‎04-11-2024 06:26 AM - edited ‎04-11-2024 06:28 AM

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html#toc-hId-133117567

I would also suggest going through some ISE training to learn about authorization policy logic, etc.  I would also suggest working with your Cisco Account SE and your preferred Cisco Partner of choice to also help with ISE deployment and policy creation.

Customers Also Viewed These Support Documents