ISE AD Group filter

Patrick Connor · ‎07-17-2012

I am integrating ISE 1.1.1 into a very large AD structure. I have the all the nodes joined to the domain but need help on the filter config to pull groups. Does anyone have the possible details on filter syntax? I am getting the message “ Reading Directory” but never get any results. I need to add very deep filter to get the groups I want.

Thanks for all input

Tarik Admani · ‎07-17-2012

Are you referring to this section -

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1059262

If so, then you use a wildcard towards the end of the group name i.e. Domain Users and Domain Computers will appear with Domain* entered. If you want just Domain Computers then enter Domain C*, the filter syntax is case sensitive.

Hope that helps,

Tarik Admani
*Please rate helpful posts*

Patrick Connor · ‎07-17-2012

Tarik, Thanks for the input. Yes I am looking for more details that provided in the 1.1.1 user guide. I have found docs indiating either cn=X filter or the wildcard you have identified but I need to string these together or I will easily exceed the 100 group limit.

I need to define down further to a specfic OU then to the Domain User / Domain Compter. There are over 50 OUs with different domain users groups, I only want to pull from one.

Thanks again for the info

Pat

Tarik Admani · ‎07-17-2012

Patrick.

One thing you could do is pull the attributes of your user account in order to get the format of the memberof group which should have the full path including the OUs of that user. Or run a test authentcation from an ios device or even the ASA.

Take that value and place the wildcards and see if that gets you the groups you are after.

Let me know if that works:

Tarik Admani
*Please rate helpful posts*

chris_day · ‎07-18-2012

If the AD is big you should run a detail test, this will tell you the sites and services policy the ISE is getting along with the dc it is connecting to. You may just be running into an issue were your connecting to a server that has slow replication. If sites and services are not configured correctly in AD then ISE may sit for long periods of time searching AD for the group you are filtering against.

Sent from Cisco Technical Support iPhone App

Patrick Connor · ‎07-18-2012

Chris, thanks for the input. I am still looking for the answer to the question

What is the correct syntax to use in the "Add group filter " when I am trying to cut to the bottom of 5 or 10 layers of AD object structure. The Key i need to get to is structure

OU=A , OU=B, OU=C, OU=D, DC=1, DC=2, DC=3, DC=4

And I need to pull all the groups under "OU=A"

I also have no access to the Domain itself

Thanks

Pat

chris_day · ‎07-18-2012

The filter does a sub search for group names only. If you want to find all groups starting with admin then you search on cn=admin* and every group starting with admin in the entire forest structure will show up. If you want all groups in ou=chi,ou=national well that's no fun because you.cant filter on ou just on group names and would need to enter each group name and add them one at a time.

Sent from Cisco Technical Support iPhone App

Tarik Admani · ‎07-18-2012

Patrick,

Please try this for an example: "OU=Employees,DC=DOMAIN,DC=COM", I tested this in my lab as the search base DN and then hit the * under the group filter and it pulled all the groups under the Employees OU.

Hope this helps,

Tarik Admani

Patrick Connor · ‎07-26-2012

Thanks to all for responding. In the end, I used a LDAP connection to the AD structure and was able to get where I needed to be.

mkriss5681 · ‎03-04-2013

I can confirm I am having the same exact issue with 1.1.2. I opened a TAC Case and it doesn't seem to be much of a resolution to the problem.