cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

988
Views
0
Helpful
0
Replies
Highlighted
Beginner

ISE : Machine/user ActiveDirectory group retrieving

Hello,

We are migrating our ACS 5.1 to ISE 1.0.4.

- On ACS we were doing 802.1x Authentification over an Activedirectory, assigning Vlan according to computer/user group. In some case the user vlan could be different from the computer vlan (ex admin account connecting to a user account). This works great with ACS

I tested the same function with ISE and the behaviour is a bit different :

- When the computer boot, I can see the computer account being authenticated on ISE. The logs show the AD groups the computer belongs to and the Authorization profile is well applied according to the AD group.

- When the user login, I can see the user account being authenticated on ISE, BUT the logs show the AD groups of the previous authentication, the one belonging to the computer not the user. So the authorization profile is the one from the computer not the user.

It seems that the AD group attributes are not well updated :

- AD logs show the second authentication doesn't engage a new group parsing from AD

- Shutting down the switch port when user is logged engage a new authentication a AD group are well updated.

- Bug toolkit reference the same bug but for WLC CSCto83897 so I suspect it's present in other case.

The NAS is Catalyst 3750 12.2.58(SE2)

Thanks much for your reply.

Everyone's tags (3)