Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2279
Views
0
Helpful
3
Replies

How to fetch specific parameters from AD in ISE

Go to solution
ImanMo93
Level 1
Level 1

‎09-01-2020 09:43 PM

Hello everyone,

I was wondered if there any way to configure the fetched parameter from AD in Cisco ISE.

I have a problem in authorization.

The problem is, when I set Ethernet configuration to accept current user logon credential, it's gonna be something like this: Domain\UserName (SamAccountName), and when it comes to this, the ISE are unable to recognize the Group and Department of that user. But when I set Ethernet to ask users for their credential, everything is fine and gonna be something like: Username@Domain.

I also use Identity Rewrite to change the credential from SamAccountName to UPN but still have the problem.

So, I decided to add Department attribute to AD and LDAP but unfortunately ISE doesn't fetch that from AD.

That's why I started this discussion and asking for some help.

Any suggestion?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎09-02-2020 04:38 AM

In the ISE Admin > Identity Management > External Identitie Sources > Active Directory, select one of the AD servers and click 'Test User'.  Check the AD attributes that ISE can retrieve, by supplying ISE with a valid AD username and password (if you don't supply a valid password then the attributes and groups cannot be listed)

 

ise-department.png

 

Once you can see it here, then you know you can add this attribute into ISE for your AuthZ policies.

ise-atttri-import.PNG

 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎09-02-2020 04:38 AM

In the ISE Admin > Identity Management > External Identitie Sources > Active Directory, select one of the AD servers and click 'Test User'.  Check the AD attributes that ISE can retrieve, by supplying ISE with a valid AD username and password (if you don't supply a valid password then the attributes and groups cannot be listed)

 

ise-department.png

 

Once you can see it here, then you know you can add this attribute into ISE for your AuthZ policies.

ise-atttri-import.PNG

 

 

0 Helpful

Go to solution
ImanMo93
Level 1
Level 1
In response to Arne Bier

‎09-04-2020 11:48 PM

Thanks Arne.

I use "MemberOf" attribute to AuthZ the clients.

Now It's successfully AuthZ users when they are Authenticated via NTLM.

 

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to ImanMo93

‎09-05-2020 08:25 AM

Just be careful with the "MemberOf" attribute for group membership.  It will list all groups that a computer/user is a member of EXCEPT the "Primary Group."  Normally, the "Primary Group" is Domain Users or Domain Computers.  I have seen in the past where the Primary Group is something else and that particular group does not show up in MemberOf.  You can test this by going to the properties on a user account and the group membership tab.  There is a button to set the Primary Group.  Set it to a group that you are checking for in ISE and see if it still works.  Instead of MemberOf, use the "Groups" tab in ISE and add the particular groups that you are interested in.

0 Helpful
Customers Also Viewed These Support Documents