Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2121
Views
2
Helpful
11
Replies

ISE 3.1 - New AD group not showing in the Condition Studio

Go to solution
GFernandez07
Level 1
Level 1

‎03-29-2023 08:28 AM

Hello ISE experts!

I'm running into an issue with ISE and hoping to find some guidance here.

ISE Version: 3.1.0.518. Patch: 3.

My ISE deployment is integrated with the company's AD. This was done long time ago and it is working fine. The status is operational and running the diagnostic tool shows a status of "successful" for all the tests.

Recently, I had to add a new AD group, which I'm able to do with no issues.

The problem I'm having is that the new group does not come up in the the "condition studio" when I'm trying to use it in a authorization policy.

I have remove and re-added the group, but no luck.

Has anyone experience anything similar with this version of ISE?

I have a TAC ticket opened but not much help so far.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tariq Mahmoud
Level 1
Level 1

‎03-29-2023 04:03 PM

I know it says fixed in 3.1 P3, but I suggest to test the workaround anyway. 
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa55996

After you create the new group, or import the new AD group to ISE try the below:
Workaround:
1. Go to Network Device Profile page
2. Create and delete one of them and wait for 20-30 seconds
3. Go to the policy set conditions and it should show changes. If it doesn’t, please reload the page.

If it doesn't help, I suggest to continue working with TAC on it. 

View solution in original post

11 Replies 11

Go to solution
Rob Ingram
VIP
VIP

‎03-29-2023 08:42 AM

@GFernandez07 the AD group won't automatically appear as a saved condition in the conditions library.

You import the group under the External Identity Sources > AD domainRobIngram_1-1680104400192.png

You then select the AD group from the Conditions editor, select DOMAINNAME:ExternalGroup EQUALS <Group you imported>

RobIngram_0-1680104351144.png

If you wish to save that as a re-usable condition in the library (on the left of the screenshot above), click save, else click Use.

0 Helpful

Go to solution
GFernandez07
Level 1
Level 1
In response to Rob Ingram

‎03-29-2023 08:48 AM

@rob,
Thanks for the reply.
Sorry, I don't think I explained the issue correctly. And I understand what you mean.
My issue is that when I'm creating a new authorization policy, and select the External group (AD) I can't see the newly added group.
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to GFernandez07

‎03-29-2023 08:57 AM

@GFernandez07 ok, so it doesn't appear in the dropdown list to select? I assume you double checked under the External Identity Sources > AD domain that the correct group is imported correctly?

 

0 Helpful

Go to solution
GFernandez07
Level 1
Level 1
In response to Rob Ingram

‎03-29-2023 09:05 AM

That is correct. It doesn't appear.
And yes, I tested adding different groups and I can import them without an issue. However, nothing I add comes up when creating a new policy.
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to GFernandez07

‎03-29-2023 09:17 AM

@GFernandez07 are these AD groups "Domain Local" groups or something different to the other AD groups you are able to reference in a policy?

 

0 Helpful

Go to solution
GFernandez07
Level 1
Level 1
In response to Rob Ingram

‎03-29-2023 09:48 AM

They are all "Global" groups.

0 Helpful

Go to solution
Tariq Mahmoud
Level 1
Level 1

‎03-29-2023 04:03 PM

I know it says fixed in 3.1 P3, but I suggest to test the workaround anyway. 
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa55996

After you create the new group, or import the new AD group to ISE try the below:
Workaround:
1. Go to Network Device Profile page
2. Create and delete one of them and wait for 20-30 seconds
3. Go to the policy set conditions and it should show changes. If it doesn’t, please reload the page.

If it doesn't help, I suggest to continue working with TAC on it. 

Go to solution
GFernandez07
Level 1
Level 1
In response to Tariq Mahmoud

‎03-30-2023 07:20 AM

@Tariq Mahmoud . That fixed the issue. Thank you very much.

0 Helpful

Go to solution
GFernandez07
Level 1
Level 1

‎03-30-2023 07:19 AM

@Tariq Mahmoud . That fixed the issue. Thank you very much.

 

0 Helpful

Go to solution
hlyanpyaechan21
Level 1
Level 1

‎11-14-2023 01:58 AM

@GFernandez07.         we have been same issue. So, please share to fix this issue that how we should do. Thank you.

0 Helpful

Go to solution
GFernandez07
Level 1
Level 1

‎11-14-2023 06:14 AM

@hlyanpyaechan21 , please refer to Tariq's post.  That fixed it for me.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa55996

0 Helpful
Customers Also Viewed These Support Documents