cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
946
Views
0
Helpful
3
Replies

AD Probe possible caveat

aravikumar
Level 1
Level 1

Hello,

 

We were testing the AD probe in ISE 2.4 patch 5. The following scenarios were tested.

 

Scenario-1: The Endpoint is part of Domain  and is configured for PEAP and the setting is "User or Computer Authentication"

The endpoint is booted up and then connected to the port configured for ISE. While the endpoint is in the login screen, we can see computer authentication happening and the AD attributes are collected in ISE. We could see them in context visibility. For instance we see AD-host-exists = true. Works as expected.

 

Scenario-2: The Endpoint is removed from Domain  and is configured for PEAP and the setting is "User or Computer Authentication"

The endpoint is removed from the AD domain. After 24 hours we connect the endpoint, the authentication fails and the AD attributes did not get updated. Ideally, we should be seeing the AD-host-exists attribute becoming false. But this is not happening.

 

Scenario-3: The New Endpoint which was never part of the Domain  and is configured for PEAP and the setting is "Computer Authentication"

When a new endpoint which is not a part of domain is connecting to the port configured for ISE. We are not seeing any AD attributes in the context visibility. I have default authorization policy as Permit All. Ideally I should see the AD attributes accumulated. AD-host-exists should be false.

 

We would like to know whether scenario 2 and 3 is expected behavior  in ISE. Are there any plans in the pipeline to include the aforementioned requirement as a part of enhancement?

 

Thanks,

 

Aravind Ravikumar

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Both 2 and 3 are expected.

On 2, as Danny said, ISE profiling service can only purge an endpoint as whole but not some selected attribute(s).

On 3, that is how this probe working today. I would suggest to treat the absence of the particular attribute as false.

View solution in original post

3 Replies 3

ldanny
Cisco Employee
Cisco Employee

have you tried to remove endpoint from ISE before initiating connectivity?

 

Thank you for the response. Yes I tried that. But we could not see the "AD-host-exists" attribute becoming false.

 

Thanks,

 

Aravind Ravikumar.

 

hslai
Cisco Employee
Cisco Employee

Both 2 and 3 are expected.

On 2, as Danny said, ISE profiling service can only purge an endpoint as whole but not some selected attribute(s).

On 3, that is how this probe working today. I would suggest to treat the absence of the particular attribute as false.