Solved: ISE Joined with AD but Some Groups Are Missing

SiJian Bao · ‎06-16-2013

Folks,

In my ISE, i have already joined my AD in a Windows 2008 server. But when I retrieve the groups with *, some groups are missing. I mean there is a group like XXX.COM\COMPANY\IDG\HR in my 2008 server, but i cannot retrieve that in my ISE, the group is Global. Is that a bug of ISE or are there some special limits in importing my groups into ISE?

Regards,

Venkatesh Attuluri · ‎06-18-2013

ISE can retrieve max 100 group list and as you have stated that the number did not reach 100 ,Check if the Active Directory configuration in the Administration ISE node user
interface is correct or you can add the missing groups directly use the following refer to adding groups manually

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059262

View solution in original post

Jatin Katyal · ‎06-18-2013

Sijian,

As a work around have you tried to use a more granular filter to bring in chunks of groups at a time.

The limit will be increased in future. You amy also read the discussion happened on the similar issue:

https://supportforums.cisco.com/thread/2160538

Supported link:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1059262

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

Octavian Szolga · ‎06-17-2013

When importing AD groups in ISE using * you get max 100 group listed.

That doesn't mean that you group is not visible/'importable' to ISE

If you want to import a specific group, use *mygroupname*.

SiJian Bao · ‎06-17-2013

Hello Sctavian,

Thanks for your help. But the number of the groups I retrieved with * does not reach 100, in fact it's 88, in this case, some groups are still missing.

I will try using add group directly.

Venkatesh Attuluri · ‎06-18-2013

ISE can retrieve max 100 group list and as you have stated that the number did not reach 100 ,Check if the Active Directory configuration in the Administration ISE node user
interface is correct or you can add the missing groups directly use the following refer to adding groups manually

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059262

SiJian Bao · ‎06-18-2013

Thanks Venkatesh! I think that may be a bug of ISE. I can add the missing groups directly with "Add > Add Groups" or using the command *the groups i want* with "Add > Select Groups From Directory"

Jatin Katyal · ‎06-18-2013

Sijian,

As a work around have you tried to use a more granular filter to bring in chunks of groups at a time.

The limit will be increased in future. You amy also read the discussion happened on the similar issue:

https://supportforums.cisco.com/thread/2160538

Supported link:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1059262

Jatin Katyal
- Do rate helpful posts -

~Jatin

SiJian Bao · ‎06-18-2013

Jatin,

Yup, I succeeded to find my groups using granular filter like *Account*, Thanks for your help

Jatin Katyal · ‎06-18-2013

Nice! thanks for updating the thread.

Jatin Katyal
- Do rate helpful posts -

~Jatin