12-13-2017 07:24 AM
Is there a way to have ISE only search for user under a specific OU/Group under AD when doing Authentication? I know that I can use ExternalGroup to only allow certain AD groups to be Authorized, but this is before that during Authentication. I came across an issue when migrating from ACS to ISE, where users have a domain computer with the same name as their username. During AD authentication, ISE finds the Domain Computer account first and fails authentication as the passwords don't match. Interestingly, the same AD setup worked for ACS 5.5. I can only see a an option to put the ISE machine account under a certain OU when joining the AD. This is with ISE 2.3 patch 1. I know that I can change the computer name to something else (should not have been the same in the first place) , but trying to see if there is a way I can get this working on ISE without doing that.
Thanks in advance.
Solved! Go to Solution.
12-13-2017 08:50 AM
If possible and not already done, please engage Cisco TAC, as we need to understand the exact use case and to have a recreate.
Your use case looks like CSCva75869, but that resolved in ISE 2.1 Patch 2 and 2.2 FCS so I expect it also in ISE 2.3.
CSCvf21978 is another bug on AD identity resolution and has not been addressed in any of ISE 2.3 patch releases yet.
When connecting to Active Directory using the Active Directory connector, ISE does not limit by OU or group for authentications. When connecting to AD using LDAP connector, ISE can limit the users and groups by OU.
12-13-2017 08:50 AM
If possible and not already done, please engage Cisco TAC, as we need to understand the exact use case and to have a recreate.
Your use case looks like CSCva75869, but that resolved in ISE 2.1 Patch 2 and 2.2 FCS so I expect it also in ISE 2.3.
CSCvf21978 is another bug on AD identity resolution and has not been addressed in any of ISE 2.3 patch releases yet.
When connecting to Active Directory using the Active Directory connector, ISE does not limit by OU or group for authentications. When connecting to AD using LDAP connector, ISE can limit the users and groups by OU.
12-14-2017 11:18 AM
Thanks Hsing,
That's what I thought. Do you know if this has changed from the ACS? Because, when I point the same user to the ACS for authentication, it is able to find the right user account rather than machine account. I don't believe AD integration with ACS also has the ability to search users within a particular OU.
12-14-2017 12:57 PM
IIRC ISE 1.0 ~ 1.2.x use the same AD connector as ACS 5.x up until 5.7; ISE 1.3+ and ACS 5.8 use the newer AD implementation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide