cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3594
Views
5
Helpful
4
Replies

Cisco ISE AD probe

edondurguti
Level 4
Level 4

Hi,

I'm trying to profile corporate assets without doing any kind of posturing.

Was excited about the Active Directory probe but I've hit some limitations. According to some documts the to trigger the active directory probe, ISE must get the host-name attribute, so far the only way to get the host-name attribute is via DHCP.

Looks simple if using WLC or dot1x for wireless/wired users.

Here's an example for wireless:

Configure ISE 2.1 Profiling Services Based on AD Probe - Cisco

My case is for VPN only, I've tried to configure DHCP on the ASA for anyconnect users but that didn't help, ASA proxies the DHCP request packets.

I was hoping DNS would provide the 'host-name' attribute but looks like DNS provides FQDN instead and that doesn't seem to trigger the AD connector runtime, I do have PTR records for my VPN users.

Any ideas anyone?

Thanks

1 Accepted Solution

Accepted Solutions

Timothy Abbott
Cisco Employee
Cisco Employee

Hi Edon,

As you stated, the AD probe is reliant on getting the host name attribute.  There are a few ways to do this: DHCP, NMAP and DNS.  A FQDN will also trigger the AD probe.  Be sure that you have those probes enabled so that AD probe can be triggered.  If you do have those probes enabled, please open a TAC case for further assistance.

Regards,

-Tim

View solution in original post

4 Replies 4

Timothy Abbott
Cisco Employee
Cisco Employee

Hi Edon,

As you stated, the AD probe is reliant on getting the host name attribute.  There are a few ways to do this: DHCP, NMAP and DNS.  A FQDN will also trigger the AD probe.  Be sure that you have those probes enabled so that AD probe can be triggered.  If you do have those probes enabled, please open a TAC case for further assistance.

Regards,

-Tim

HI. I have the probes configured but AD fetch is not triggered after receiving the fqdn from the dns. I see that the fqdn is successfuly learned via dns. I have a case w tac.

opened: CSCve59881 - dns will not trigger AD probe.

How do you see the fqdn successfully learned from dns?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: