Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1287
Views
3
Helpful
4
Replies

ISE 2.7 not fetching AD-Groups-Name attribute from Active Directory

Go to solution
Isildur
Level 1
Level 1

‎05-08-2023 04:23 PM

Hello Guys,

I´m doing an eap chaining lab using ISE 2.7 and Windows Server 2016. Almost everything is working fine but I´m stuck in this "problem". I want to create Authz rules based on AD Security Groups but during a user authentication, ISE for some reason don´t retrieve the AD Groups in which the user belongs to, So the Authz fail and the authentication is denied.

Have you guys ever seen this behavior? What can it be?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎05-08-2023 05:46 PM

From a AD permissions perspective, group matching issues can be caused by the ISE machine account not having the permission to read tokenGroups. See the following document for the required AD permissions.

Active Directory Integration with Cisco ISE 2.x

There are also bug fixes related to AD Group matching in various patches for ISE 2.7 and you did not specify what patch level you have installed. If you are not using the latest patch for 2.7 (currently patch 9), then you should start by updating to the latest patch.

View solution in original post

4 Replies 4

Go to solution
poongarg
Cisco Employee
Cisco Employee

‎05-08-2023 05:31 PM

Perform a test user authentication from ISE GUI. Under External identity Stores > Select Active Directory Join point name > Click Test user and check if you are able to fetch user attribute normally or not. If not, it may be a permission issue on AD.

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎05-08-2023 05:46 PM

From a AD permissions perspective, group matching issues can be caused by the ISE machine account not having the permission to read tokenGroups. See the following document for the required AD permissions.

Active Directory Integration with Cisco ISE 2.x

There are also bug fixes related to AD Group matching in various patches for ISE 2.7 and you did not specify what patch level you have installed. If you are not using the latest patch for 2.7 (currently patch 9), then you should start by updating to the latest patch.

Go to solution
Arne Bier
VIP
VIP

‎05-11-2023 01:48 PM

@Isildur - perhaps you're running into this defect CSCvz85074 that also affects ISE 2.7

Go to solution
Isildur
Level 1
Level 1

‎05-12-2023 01:26 PM

I was using ISE 2.7 with no patch and the problem was resolved after I updated to the last patch.

Thank you very much guys!!

0 Helpful
Customers Also Viewed These Support Documents