05-09-2023 03:32 AM
Hello,
I'm facing a problem that when users are authenticating to login to network devices, they are authenticated to a external ad group which they are not a part of.
This group that they are not a part of is higher in the hierarchy then the group they are suppose to be in, so i don't just want to move the supposed group up either. (More access, the lower you go)
I've checked on the domain controllers, and using net user /domain <username> and i do not see the group on their ad account. But in the TACACS+ log, and when i am running test user(lookup) under Work centers - ext id sources - active directory. I still see the group that they are not a part of.
Have any of you experienced this? Is this something wrong on the domain controllers, or is ISE caching external groups somehow?
Solved! Go to Solution.
05-09-2023 04:37 AM
it appears the group the users was using, was also member of the culprit group. So the problem was in AD.
05-09-2023 04:37 AM
it appears the group the users was using, was also member of the culprit group. So the problem was in AD.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide