Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2550
Views
2
Helpful
3
Replies

ISE search for AD user under specific OU/Group

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎12-13-2017 07:24 AM

Is there a way to have ISE only search for user under a specific OU/Group under AD when doing Authentication? I know that I can use ExternalGroup to only allow certain AD groups to be Authorized, but this is before that during Authentication. I came across an issue when migrating from ACS to ISE, where users have a domain computer with the same name as their username. During AD authentication, ISE finds the Domain Computer account first and fails authentication as the passwords don't match. Interestingly, the same AD setup worked for ACS 5.5. I can only see a an option to put the ISE machine account under a certain OU when joining the AD. This is with ISE 2.3 patch 1. I know that I can change the computer name to something else (should not have been the same in the first place) , but trying to see if there is a way I can get this working on ISE without doing that.

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-13-2017 08:50 AM

If possible and not already done, please engage Cisco TAC, as we need to understand the exact use case and to have a recreate.

Your use case looks like CSCva75869, but that resolved in ISE 2.1 Patch 2 and 2.2 FCS so I expect it also in ISE 2.3.

CSCvf21978 is another bug on AD identity resolution and has not been addressed in any of ISE 2.3 patch releases yet.

When connecting to Active Directory using the Active Directory connector, ISE does not limit by OU or group for authentications. When connecting to AD using LDAP connector, ISE can limit the users and groups by OU.

View solution in original post

3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-13-2017 08:50 AM

If possible and not already done, please engage Cisco TAC, as we need to understand the exact use case and to have a recreate.

Your use case looks like CSCva75869, but that resolved in ISE 2.1 Patch 2 and 2.2 FCS so I expect it also in ISE 2.3.

CSCvf21978 is another bug on AD identity resolution and has not been addressed in any of ISE 2.3 patch releases yet.

When connecting to Active Directory using the Active Directory connector, ISE does not limit by OU or group for authentications. When connecting to AD using LDAP connector, ISE can limit the users and groups by OU.

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to hslai

‎12-14-2017 11:18 AM

Thanks Hsing,

That's what I thought. Do you know if this has changed from the ACS? Because, when I point the same user to the ACS for authentication, it is able to find the right user account rather than machine account. I don't believe AD integration with ACS also has the ability to search users within a particular OU.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Rahul Govindan

‎12-14-2017 12:57 PM

IIRC ISE 1.0 ~ 1.2.x use the same AD connector as ACS 5.x up until 5.7; ISE 1.3+ and ACS 5.8 use the newer AD implementation.

0 Helpful
Customers Also Viewed These Support Documents