Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2678
Views
0
Helpful
4
Replies

ISE AD Attribute Not Pulling.

Go to solution
Jordan Taylor
Level 1
Level 1

‎06-06-2018 12:09 PM

I have a Policy set for Anyconnect Via RADIUS, which looks at the Dial-in attribute for AD. for some reason this is only being pulled for some users and not others. All the user are under the same Domain.

Any thoughts?

Thanks,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-06-2018 04:34 PM

It seems the ISE computer account in AD not having read permissions for such attribute in some particular AD user objects.

You might want to try allowing "Read All Properties" for ISE. If that not possible, then

use auditing to see what permissions you need (by looking at what accesses fail in the audit log).  Repeat until it all seems to work.

References:

How Access Control Works in Active Directory Domain Services

Controlling Access to Objects and Their Properties

Setting Rights to Specific Types of Objects

Setting Rights to Specific Properties of Specific Types of Objects

View solution in original post

0 Helpful
4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-06-2018 04:34 PM

It seems the ISE computer account in AD not having read permissions for such attribute in some particular AD user objects.

You might want to try allowing "Read All Properties" for ISE. If that not possible, then

use auditing to see what permissions you need (by looking at what accesses fail in the audit log).  Repeat until it all seems to work.

References:

How Access Control Works in Active Directory Domain Services

Controlling Access to Objects and Their Properties

Setting Rights to Specific Types of Objects

Setting Rights to Specific Properties of Specific Types of Objects

0 Helpful

Go to solution
Jordan Taylor
Level 1
Level 1
In response to hslai

‎06-08-2018 06:13 AM

Would this still apply when I can pull the attribute need from some users over others? And these users are in the same Domain same groups. and I still get the same behavior.

Thanks,  

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Jordan Taylor

‎06-08-2018 06:23 AM

Yes, MS permissions can be set per object. Thus, ISE might not have the same permissions to users in the same domain and same groups.

0 Helpful

Go to solution
Jordan Taylor
Level 1
Level 1
In response to hslai

‎06-08-2018 08:48 PM

Thanks, are there any best practice pages on Active Directory architecture.

Found this one.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html#tas…

0 Helpful
Customers Also Viewed These Support Documents
Top