Solved: Thanks Rahul... This worked!

jpoaps915 · ‎01-09-2017

Hi All,

I am having some issues with command sets and ISE. In the TACACS live log I receive an error of "ERROR_TOKEN_GROUPS_INSUFFICIENT_PERMISSIONS " and "The ISE machine account does not have the required privileges to fetch groups." We are running ISE2.0.

Cisco TAC sent this to me:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200349-ISE-1-3-AD-Authentications-Fail-with-Err.html

Which I have tried and still failed.

When I do a test user in ISE - I can only retrieve 26 groups max. My question is - how do I go about granting my COMPUTER account in AD the proper permissions (I believe its the tokengroup attribute)? Any input is appreciated.

Rahul Govindan · ‎01-09-2017

The following document shows you how to add the right permissions for the ISE computer account to retrieve groups:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200780-Fix-Active-Directory-group-retrieval-iss.html

Can you try the above steps and see if this works?

View solution in original post

Rahul Govindan · ‎01-09-2017

The following document shows you how to add the right permissions for the ISE computer account to retrieve groups:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200780-Fix-Active-Directory-group-retrieval-iss.html

Can you try the above steps and see if this works?

jpoaps915 · ‎01-10-2017

Thanks Rahul...

This worked!

ISE Machine Account permissions