Solved: Re: ISE not pulling all identity attributes from AD.

jahamilton1 · ‎03-28-2017

I'm trying to use the device group condition to create an authorization policy based on user attributes from the AD.

It didn't work out and also got this from the report.

Code 24100 seems to be the problem. Cause I have deployed similar policy for another client and code 24100 seems to be the only strange report I can see.

Thanks.

hslai · ‎03-30-2017

The error implies the attribute is empty. If your AD test is done with the same user, are you seeing it differently?

For example, I configured an authz profile to return the attribute "mail" from AD. It does NOT give 24100 when the AD user has non-empty value for this attribute; whereas it gives 24100 for an user not configured for this attribute.

View solution in original post

Oliver Laue · ‎03-28-2017

did you see these attributes on the client if you use the AD test tool on external identity sources?

jahamilton1 · ‎03-28-2017

Yes I do. All required required attributes were pulled when I did a test

tool.

hslai · ‎03-30-2017

The error implies the attribute is empty. If your AD test is done with the same user, are you seeing it differently?

For example, I configured an authz profile to return the attribute "mail" from AD. It does NOT give 24100 when the AD user has non-empty value for this attribute; whereas it gives 24100 for an user not configured for this attribute.