cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
882
Views
0
Helpful
5
Replies

ISE and MS Active Directory Integration Issue

Rick Daoust
Level 1
Level 1

It appears that our ISE 1.2 solution is having issues with nested MS AD Groups. The first login attempt always fails, the second occasionally works and the third always works. Has anyone else experience this login issues with ISE 1.2 and MS AD?

Sent from Cisco Technical Support iPhone App

5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

Hi,

When you look at the authentication details do you see the groups listed in the additional attributes? Also are there any other condition such as endpoint groups in combination with the authorization policy. Can you provide a screenshot od your policies?


Sent from Cisco Technical Support Android App

Hi Tarik,

     Please see screenshots below:

AD_auth_profile.pngAD_groups_ISE.pngAD_external_groups.png

      

Thanks,

blenka
Level 3
Level 3

Please check the information and steps to integrate Active directory.

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_id_stores.html#wp1317829

Basant,

The integration against active directory is working fine he is having issues with consistency. Does the link provided above address consistency issues?

Tarik Admani
*Please rate helpful posts*

Rick,

I am a little lost in the screenshots you posted. In your AD groups that you have pulled I dont see an authorization policy mapped to the first group. In the authentication report it looks like authentication is successfull.

I have seen that ISE will only display a few of the groups now in ISE 1.2 can you build a policy based on the the group you want it to show and then try your authentication again? That is when ISE will show the specific group as opposed to ise pre 1.2 where it would show more groups.

Thanks,

Tarik Admani
*Please rate helpful posts*