Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
305
Views
0
Helpful
1
Replies

Cisco ISE 2.7 - Retrieving AD groups that does not exist

Go to solution
Andreas88
Level 1
Level 1

‎05-09-2023 03:32 AM

Hello,

I'm facing a problem that when users are authenticating to login to network devices, they are authenticated to a external ad group which they are not a part of.

This group that they are not a part of is higher in the hierarchy then the group they are suppose to be in, so i don't just want to move the supposed group up either. (More access, the lower you go)

I've checked on the domain controllers, and using net user /domain <username> and i do not see the group on their ad account. But in the TACACS+ log, and when i am running test user(lookup) under Work centers - ext id sources - active directory. I still see the group that they are not a part of.

Have any of you experienced this? Is this something wrong on the domain controllers, or is ISE caching external groups somehow?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andreas88
Level 1
Level 1

‎05-09-2023 04:37 AM

it appears the group the users was using, was also member of the culprit group. So the problem was in AD.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Andreas88
Level 1
Level 1

‎05-09-2023 04:37 AM

it appears the group the users was using, was also member of the culprit group. So the problem was in AD.

0 Helpful
Customers Also Viewed These Support Documents