ISE 3.0 LDAP Integration - Cannot retrieve groups

mattw · ‎08-27-2021

Hello!

I am helping a customer who is attempting to integrate their ISE 3.0 instance with LDAP. They have configured the LDAP external identity source in ISE and a test bind works fine.

However, when they go over to the groups tab and click on retrieve groups, nothing is displayed. No groups and no errors.

Their LDAP admin says he sees the request received from ISE and he sees the LDAP server respond to ISE.

I know we can do a TCP dump to see the traffic between ISE and LDAP and this might help. Maybe.

Are there any other options for debugging or obvious things to check?

Many thanks in advance,

Matt.

Marcelo Morais · ‎08-27-2021

Hi @mattw ,

at Administration > Identity Management > External Identity Sources > LDAP > select you LDAP > select the Connection tab > click the Test Bind to Server icon ... double check the Number of Groups:

If the Number of Groups is 0, then please check the Directory Organization tab configuration, Subject and Group Search Base.

Hope this helps !!!

mattw · ‎08-27-2021

Hi @Marcelo Morais,

Thank you for your input. We did check this and it showed >0 groups (I think it was around 50). Just seems really strange that we cannot retrieve the list?

Thanks!

Matt.

Marcelo Morais · ‎08-28-2021

Hi @mattw ,

in this case ...

1st start a TCP Dump from the PAN using the filter:

ip host <LDAP IP Addr> and port <LDAP Port>

2nd retrieve the Groups

3rd stop the TCP Dump and check if you receive any packet.

Hope this helps!!!

mattw · ‎08-30-2021

Thanks you again @Marcelo Morais for your help. I did suggest this to them last week along with enabling debug logging and collecting and analysing a support bundle. I think they have solved it now but I need to hear back from them tomorrow.

Thanks!

Matt.

mattw · ‎09-07-2021

Just to close this out, we found the solution was to remove Group Name Attribute = cn from LDAP > General, then retrieve the groups, then put cn back in. Weird.