Solved: Difference between ACS and ISE and how they retrieve AD attributes

mparthan · ‎05-31-2018

The customer has a setup where they are retrieving specific AD attributes for a user during an authentication session and reports on ISE are then sent to a syslog server where these attributes are parsed.

In the ACS production environment, when a device authenticates to the system, the AD lookup brings back the user information, along with any of the groups and AD attributes that have been defined under the Join point. Due to that, the syslog output contains all of those attributes automatically. The billing team then runs a Parser against the syslog and is able to look for those AD attributes.

However, in the ISE testing we noticed that by default, no attributes were automatically being brought back during the authentication session, no matter if it was a MAB or Dot1x session. If we physically inserted attribute conditions within the authorization policy, the attributes and their values would appear in the ISE local logs and the syslog output.

So only if the attributes were defined as a condition in the authorization policy we would see ISE retrieving those attributes for that user.

I am inclined to think this is by design, however was not able to find this documented anywhere. Can you confirm this please?

Thanks,

Malavika

kvenkata1 · ‎06-01-2018

It is documented in the ACS to ISE migration guide, Page 21.

How to Migrate ACS 5.x to ISE 2.x

- Krish

View solution in original post

hslai · ‎05-31-2018

That is correct. ACS 5.x uses ID store sequence to determine the ID stores to retrieve attributes whereas ISE uses authorization policy rules and profiles.

kvenkata1 · ‎06-01-2018

It is documented in the ACS to ISE migration guide, Page 21.

How to Migrate ACS 5.x to ISE 2.x

- Krish

mparthan · ‎06-01-2018

Thank you for confirming, krishnamurthy!

mparthan · ‎06-01-2018

Thanks for confirming, Hsing!