Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
793
Views
0
Helpful
5
Replies

ISE not seeing deep enough into AD structure

Not applicable

‎06-02-2017 07:18 AM - last edited on ‎03-11-2019 12:45 AM by

Hi all; I have no experience with ISE but am trying to help out some folks who are using the tool. 

They are trying to pull info out of AD in our heavily nested structure, but can't see further than SIX levels deep. We have end-user machines in OUs that are EIGHT deep. Here it is, with some of the names changed for privacy reasons

     OU=Windows10,OU=Client Devices,OU=xx.yyy.zzz,OU=Infrastructure Services,DC=PROD,DC=aaa,DC=bbb,DC=GOV

The folks using the tool report they can only see to the "OU=xx.yyy.zzz" level - they can't see "OU=Client Devices" or "OU=Windows10".

The error they are getting: 

Could not find SID for group: '<hidden>/Infrastructure Services/<hidden>/Client Devices/Windows10'. Specific error is: 'The group name is invalid'.

Labels:
0 Helpful
5 Replies 5

marce1000
Hall of Fame
Hall of Fame

‎06-02-2017 08:30 AM

  

          - Please re-post in Security ->  AAA Identity and NAC

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Not applicable
In response to marce1000

‎06-02-2017 10:53 AM

Done.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to

‎06-03-2017 01:24 AM

What version of ISE are you using? In 2.0 and later you can specify the OU and join point explicitly. 

Reference:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html#ID612

0 Helpful

Not applicable
In response to Marvin Rhoads

‎06-03-2017 11:18 AM

Thanks Marvin; not sure, I'm the middleman. I will ask them first thing Monday morning.

But, do you know if versions PRIOR to 2.0 had a limitation insofar as how many levels deep they can query down into?

Thanks again...

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to

‎06-03-2017 08:24 PM

You're welcome.

Yes I believe it did.

However ISE1.x is getting quite old. 1.4 was released over 2 years ago and many many improvements have been made since then. The whole AD connector and related serviceability features was revamped in 2.x. Anybody using that feature in any robust sense would be well-served to migrate to the current release (2.2 patch 1). 

0 Helpful
Customers Also Viewed These Support Documents