I'm having a similar issue, however my AD group doesn't have any apostrophe charachters.  The only 'non standard' characters it has is some spaces " " and a "&" symbol, could this cause the same problem?

Hello Zach,

My groups didnt have an apostrophe but my OU did...

mydomain.local/admin groups/doesn't need auth/ISe_admin  ( kinda group )

i dont wanna replace Cisco TAC teams but:

1. Log into ISE using a working admin user and navigate to Administration > System > Logging > Debug Log Configuration

2. Select the admin node from the "Node list" on the right and click the "Edit" button

3. Turn up the  logging level of the "nfs" and "identity-store-AD" components (click on  the current log level and change it to TRACE)

4. Try to log in using the failing user.

5. Navigate to Operations > Troubleshoot > Download Logs and select your admin node

6. Click the "Debug Logs" item in the right pane

7. Download the file "ise-psc.log"  search for the last auth fail with yur user

Thats how i did find my problematic groups.

I asked the tac engeneer to update the CSCud31796 to include the OU names, not only groups

Hope that help

by the way:

1- will be fixed in release 1.2

2- the apostrophe actually stop the group membership comparaison

3- didnt test it yet but i suspect that any comparason rules, aka memberof in any policy.. wont work because of that

to fix that, in addition to Jatin Comments, you could put yur user in the TOP level groups lets say: mydomain.local/admin groups/1-admin_ise

this way, the appostrophe wont be hit before matching the rule.

Thx to Jatin Also

Bye

Ce message a été modifié par: Eric Lessard

Thx Jatin!

see my comment below... do you know if in fact it would also impact any policy rules based on membership ? or is it only affecting admin access?

sorry for any delay!

Well I did read user Auth fail on Authorization Policy when rule contain group with special character.

This problem exist in ACS 5.x as well.

Jatin Katyal

- Do rate helpful posts -