08-22-2014 04:52 AM - edited 03-10-2019 09:57 PM
Hi,
I am testing ISE External AD authentication and when I rename an AD security group that the user is a member of authentication against ISE is still successful, however the group name shown in the logs is the original group name and not the new renamed group name. This appears to be the same for both nested groups and those mapped directly to ISE in my testing.
After waiting what could be potentially 24 hours between retesting after renaming the group this appears to then show the correct renamed group in the authentication log. I believe that ISE has an ADclient cache which I assume is where the group name is being pulled from for the ISE logs and hence why this shows incorrectly for a period of time until it is refreshed.
I did find details of a configuration option on the ISE CLI to "Clear Active Directory Trusts Cache and restart/apply Active Directory settings". I have attempted to do this and this makes no difference to the names of the groups in the authentication log. However this may be due to CSCul65329 that I have found that seems to exhibit the similar symptoms to what I am experiencing.
So I guess what I am asking is, has anyone else experienced similar issues when attempting to rename external AD groups? And if so, excluding the potential for CSCul65329 is the process when renaming AD external groups to Clear Active Directory Trusts Cache and restart/apply Active Directory settings.
Any help appreciated.
Many thanks
Andy
02-17-2015 01:54 PM
I can confirm this behavior. There is obviously a cache. An active directory change to your AD while you have mapped groups can be exciting also. There is also a bug where the mapped groups CANNOT be removed.
It is a mess. It appears that in the following CLI menu;
Selection ISE configuration option
[1]Reset Active Directory settings to defaults
[2]Display Active Directory settings
[3]Configure Active Directory settings
[4]Restart/Apply Active Directory settings
[5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings
As you mention option [5] does nothing for 24 hours and then flushes it (for what possible reason?)
There is some ability I have heard to do this in real-time with a Linux operating system command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide