AD users failing to authenticate on Cisco ISE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2024 02:50 AM
- Labels:
-
Identity Services Engine (ISE)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2024 03:26 AM
Check depoly and license
-Admin>system >deployment
Enable device admin service
-admin > system > licensing
Device admin
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2024 08:22 AM
Not enough information here to help unfortunately. But something is not matching your configured authorization rules. Your AD authentication is successful. My guess is the AD Group is not matching.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2024 03:22 PM
To follow on to @ahollifield's comment, you might need to check the permissions on the ISE machine account in AD to ensure you have the necessary permissions as per this table... especially the 'Read tokenGroups' permission as that is required for group membership lookups.
You can also use the Test Users tool in ISE to confirm it sees the expected group memberships for the User account.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2024 07:32 PM
@MHM Cisco World Just checked, both Device admin service and Device admin license are active.
@Greg Gibbs I've tried the "Test user" tool and it's returning "Success" on the Authentication result, the group this particular account is a member of on the AD is showing up as well in the "Groups" tab.
I'm not aware of any ISE machine account in our AD however, is this something that will need to be configured on both the ISE and AD?
Thanks all for the responses.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-07-2024 04:07 PM
If you have integrated ISE with AD via a Join Point, there would have to be machine accounts created in AD for the ISE nodes.
Have you tried removing the condition related to 'InternalUser'. I don't understand why that is there if you are authorizing an external user against Active Directory. What are you trying to match with that condition?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-07-2024 06:16 PM
That condition is actually there to enable logins to network devices from an internal account on ISE if connection to the AD fails.
Actually the problem is currently resolved, I just deleted the policy and added the conditions one by one. Now both AD accounts and the internal account are able to authenticate successfully.
