cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1029
Views
0
Helpful
2
Replies

Cisco ISE Sponsor Portal Auth using LDAP Dynamic / Query based Distribution Groups/Lists

R M C
Level 1
Level 1

Hi All

I am trying to enable authentication to the ISE Sponsor Portal using LDAP lookup to AD groups.  Security policy dictates that the ISE nodes cannot be domain joined to the AD so I have to use LDAP lookup.

 

This works fine with standard Distribution groups however I can't get it to work with Query-Based / Dynamic Distribution Lists.  Are these supported with ISE?  I need to a Group/List that contains all staff and the only ones available are Dynamic.

 

I've changed the Group Objectclass to msExchDynamicDistributionList and this allows me to select the groups from AD however authentication fails.

 

Group Map Attribute is still memberOf.  I've attached a screenshot of the LDAP Identity Source general setup.

 

Has anyone got this working?

 

Many thanks

Mark

1 Accepted Solution

Accepted Solutions

Hi Jason

Many thanks for your reply, much appreciated, apologies for the delay in my reply.  I managed to find something that worked for my environment, I'm not sure if it will be helpful for others, when using the Group Objectclass: msExchDynamicDistributionList.  If I used the Group Map Attribute: showInAddressBook I was able to map a group that all users were a member of.  I did have to add the group manually however, it couldn't be added from searching the directory.  Hopefully this will be of help to others, unless I have a very unique environment of course!!

View solution in original post

2 Replies 2

Jason Kunst
Cisco Employee
Cisco Employee
Have you tried using LDAP attributes instead?

Hi Jason

Many thanks for your reply, much appreciated, apologies for the delay in my reply.  I managed to find something that worked for my environment, I'm not sure if it will be helpful for others, when using the Group Objectclass: msExchDynamicDistributionList.  If I used the Group Map Attribute: showInAddressBook I was able to map a group that all users were a member of.  I did have to add the group manually however, it couldn't be added from searching the directory.  Hopefully this will be of help to others, unless I have a very unique environment of course!!