Solved: Re: ISE 3.1 - New AD group not showing in the Condition Studio

GFernandez07 · ‎03-29-2023

Hello ISE experts!

I'm running into an issue with ISE and hoping to find some guidance here.

ISE Version: 3.1.0.518. Patch: 3.

My ISE deployment is integrated with the company's AD. This was done long time ago and it is working fine. The status is operational and running the diagnostic tool shows a status of "successful" for all the tests.

Recently, I had to add a new AD group, which I'm able to do with no issues.

The problem I'm having is that the new group does not come up in the the "condition studio" when I'm trying to use it in a authorization policy.

I have remove and re-added the group, but no luck.

Has anyone experience anything similar with this version of ISE?

I have a TAC ticket opened but not much help so far.

Tariq Mahmoud · ‎03-29-2023

I know it says fixed in 3.1 P3, but I suggest to test the workaround anyway.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa55996

After you create the new group, or import the new AD group to ISE try the below:
Workaround:
1. Go to Network Device Profile page
2. Create and delete one of them and wait for 20-30 seconds
3. Go to the policy set conditions and it should show changes. If it doesn’t, please reload the page.

If it doesn't help, I suggest to continue working with TAC on it.

View solution in original post

Rob Ingram · ‎03-29-2023

@GFernandez07 the AD group won't automatically appear as a saved condition in the conditions library.

You import the group under the External Identity Sources > AD domain

You then select the AD group from the Conditions editor, select DOMAINNAME:ExternalGroup EQUALS <Group you imported>

If you wish to save that as a re-usable condition in the library (on the left of the screenshot above), click save, else click Use.

GFernandez07 · ‎03-29-2023

@rob,
Thanks for the reply.
Sorry, I don't think I explained the issue correctly. And I understand what you mean.
My issue is that when I'm creating a new authorization policy, and select the External group (AD) I can't see the newly added group.

Rob Ingram · ‎03-29-2023

@GFernandez07 ok, so it doesn't appear in the dropdown list to select? I assume you double checked under the External Identity Sources > AD domain that the correct group is imported correctly?

GFernandez07 · ‎03-29-2023

That is correct. It doesn't appear.
And yes, I tested adding different groups and I can import them without an issue. However, nothing I add comes up when creating a new policy.

Rob Ingram · ‎03-29-2023

@GFernandez07 are these AD groups "Domain Local" groups or something different to the other AD groups you are able to reference in a policy?

GFernandez07 · ‎03-29-2023

They are all "Global" groups.

Tariq Mahmoud · ‎03-29-2023

I know it says fixed in 3.1 P3, but I suggest to test the workaround anyway.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa55996

After you create the new group, or import the new AD group to ISE try the below:
Workaround:
1. Go to Network Device Profile page
2. Create and delete one of them and wait for 20-30 seconds
3. Go to the policy set conditions and it should show changes. If it doesn’t, please reload the page.

If it doesn't help, I suggest to continue working with TAC on it.

GFernandez07 · ‎03-30-2023

@Tariq Mahmoud . That fixed the issue. Thank you very much.

GFernandez07 · ‎03-30-2023

@Tariq Mahmoud . That fixed the issue. Thank you very much.

hlyanpyaechan21 · ‎11-14-2023

@GFernandez07. we have been same issue. So, please share to fix this issue that how we should do. Thank you.

GFernandez07 · ‎11-14-2023

@hlyanpyaechan21 , please refer to Tariq's post. That fixed it for me.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa55996