cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1286
Views
3
Helpful
4
Replies

ISE 2.7 not fetching AD-Groups-Name attribute from Active Directory

Isildur
Level 1
Level 1

Hello Guys,

I´m doing an eap chaining lab using ISE 2.7 and Windows Server 2016. Almost everything is working fine but I´m stuck in this "problem". I want to create Authz rules based on AD Security Groups but during a user authentication, ISE for some reason don´t retrieve the AD Groups in which the user belongs to, So the Authz fail and the authentication is denied.

Have you guys ever seen this behavior? What can it be?

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

From a AD permissions perspective, group matching issues can be caused by the ISE machine account not having the permission to read tokenGroups. See the following document for the required AD permissions.

Active Directory Integration with Cisco ISE 2.x

There are also bug fixes related to AD Group matching in various patches for ISE 2.7 and you did not specify what patch level you have installed. If you are not using the latest patch for 2.7 (currently patch 9), then you should start by updating to the latest patch.

View solution in original post

4 Replies 4

poongarg
Cisco Employee
Cisco Employee

Perform a test user authentication from ISE GUI. Under External identity Stores > Select Active Directory Join point name > Click Test user and check if you are able to fetch user attribute normally or not. If not, it may be a permission issue on AD.

Greg Gibbs
Cisco Employee
Cisco Employee

From a AD permissions perspective, group matching issues can be caused by the ISE machine account not having the permission to read tokenGroups. See the following document for the required AD permissions.

Active Directory Integration with Cisco ISE 2.x

There are also bug fixes related to AD Group matching in various patches for ISE 2.7 and you did not specify what patch level you have installed. If you are not using the latest patch for 2.7 (currently patch 9), then you should start by updating to the latest patch.

Arne Bier
VIP
VIP

@Isildur - perhaps you're running into this defect CSCvz85074 that also affects ISE 2.7

Isildur
Level 1
Level 1

I was using ISE 2.7 with no patch and the problem was resolved after I updated to the last patch.

Thank you very much guys!!