Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
949
Views
0
Helpful
3
Replies

AD Probe possible caveat

Go to solution
aravikumar
Level 1
Level 1

‎06-11-2019 09:46 AM

Hello,

 

We were testing the AD probe in ISE 2.4 patch 5. The following scenarios were tested.

 

Scenario-1: The Endpoint is part of Domain  and is configured for PEAP and the setting is "User or Computer Authentication"

The endpoint is booted up and then connected to the port configured for ISE. While the endpoint is in the login screen, we can see computer authentication happening and the AD attributes are collected in ISE. We could see them in context visibility. For instance we see AD-host-exists = true. Works as expected.

 

Scenario-2: The Endpoint is removed from Domain  and is configured for PEAP and the setting is "User or Computer Authentication"

The endpoint is removed from the AD domain. After 24 hours we connect the endpoint, the authentication fails and the AD attributes did not get updated. Ideally, we should be seeing the AD-host-exists attribute becoming false. But this is not happening.

 

Scenario-3: The New Endpoint which was never part of the Domain  and is configured for PEAP and the setting is "Computer Authentication"

When a new endpoint which is not a part of domain is connecting to the port configured for ISE. We are not seeing any AD attributes in the context visibility. I have default authorization policy as Permit All. Ideally I should see the AD attributes accumulated. AD-host-exists should be false.

 

We would like to know whether scenario 2 and 3 is expected behavior  in ISE. Are there any plans in the pipeline to include the aforementioned requirement as a part of enhancement?

 

Thanks,

 

Aravind Ravikumar

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-13-2019 09:21 AM

Both 2 and 3 are expected.

On 2, as Danny said, ISE profiling service can only purge an endpoint as whole but not some selected attribute(s).

On 3, that is how this probe working today. I would suggest to treat the absence of the particular attribute as false.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎06-12-2019 03:17 AM

have you tried to remove endpoint from ISE before initiating connectivity?

 

0 Helpful

Go to solution
aravikumar
Level 1
Level 1
In response to ldanny

‎06-12-2019 06:23 AM

Thank you for the response. Yes I tried that. But we could not see the "AD-host-exists" attribute becoming false.

 

Thanks,

 

Aravind Ravikumar.

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-13-2019 09:21 AM

Both 2 and 3 are expected.

On 2, as Danny said, ISE profiling service can only purge an endpoint as whole but not some selected attribute(s).

On 3, that is how this probe working today. I would suggest to treat the absence of the particular attribute as false.

0 Helpful
Customers Also Viewed These Support Documents