03-26-2013 10:20 AM - edited 03-10-2019 08:14 PM
Hello Dears,
I have integrated ISE with Active Directory Domain and everything went fine, but when I tried to retrieve the groups from the Domain, I didn't get all Groups, many groups are missing and didn't appear on the ISE.
is there any additional step on the Domain or ISE to do, and slove the issue?
Thanks for your help
Ibrahim
04-05-2013 08:13 PM
Hello,
As per my knowledge if you are facing such issue thn you might have missed a step in the process of integration of ISE and AD.
For your reference, please refer to the link below ehcih might help you
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1059011
This link will provide you the step by step guide on how to integrate ISE with AD.
I hope this might help you.
04-06-2013 11:27 PM
When select groups from the directory, what Domain and Filter do you use?
04-09-2013 06:31 AM
shouldnt using a wildcard '*' return at least the groups in the root of the domain? I too am having this issue. I am unable to pull any groups at all. I am concerned that my AD naming convention could be at play; as I used a hyphen in my server name, and all caps for part of the domain name:
my-server.DOMAIN.local
that being said, doing a detailed connection test returns no problems.
04-11-2013 02:47 PM
same issue, domain group pull retrieves zero groups from my DC.
no error messages in ISE or DC event logs.
Using single DC users e.g. for radius login events works just fine.
I guess some DC right setting is missing to make it work?
My DC server has a default setup with no fancy customization.
appreciate any help on this...
Edit: Here is an example of a successful Test Connection Result with Domain:
adinfo (CentrifyDC 4.5.0-357)
Host Diagnostics
uname: Linux ise 2.6.18-274.17.1.el5PAE #1 SMP Wed Jan 4 22:49:48 EST 2012 i686
OS: Red Hat Enterprise Linux Server
Version: 5.4 (Tikanga)
Number of CPUs: 2
IP Diagnostics
Local host name: ise
Local IP Address: 172.29.30.238
FQDN host name:ise.30.29.172.in-addr.arpa
Domain Diagnostics
Domain: company.com
Subnet site: default-first-site-name
DNS query for: _ldap._tcp.company.com
Found SRV records:
dc.company.com:389
Testing Active Directory connectivity:
Domain Controller: dc.company.com
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller: dc.company.com:389
Domain controller type: Windows 2008 R2
Domain Name: company.com
isGlobalCatalogReady: TRUE
domainFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
forestFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
domainControllerFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
Forest Name: company.com
DNS query for: _gc._tcp.company.com
Testing Active Directory connectivity:
Global Catalog: dc.company.com
gc: 3268/tcp - good
Domain Controller: dc.company.com:3268
Domain controller type: Windows 2008 R2
Domain Name: company.com
isGlobalCatalogReady: TRUE
domainFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
forestFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
domainControllerFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
Forest Name: company.com
Retrieving zone data from company.com
Computer Account Diagnostics
Joined as: ise
Trusted for Delegation: false
Use DES Key Only: false
Key Version: 2
Service Principal Names: nfs/ise.company.com
nfs/ise
http/ise.company.com
http/ise
host/ise.company.com
host/ise
ftp/ise.company.com
ftp/ise
cifs/ise.company.com
cifs/ise
System Diagnostic
=======DNS Servers State==========
DNS Status: Up
=======DNS Server Info=======
Last Sweep: Thu Apr 11 23:20:23 2013
Fast Sweeps: 1
Deep Sweeps: 0
Okay Sweeps: 1
Failed Sweeps: 0
Cache Hits: 44
Cache Misses: 4
DNS Flushes: 0
=======DNS Server List=======
IP: 172.29.30.103
Status: Alive
udpSuccess: 16
tcpSuccess: 1
udpNoSuchName: 0
tcpNoSuchName: 0
udpTruncations: 0
tcpTruncations: 0
udpIOFailures: 0
tcpIOFailures: 0
udpTimeouts: 0
tcpTimeouts: 0
udpFailures: 0
tcpFailures: 0
udpServerFail: 0
tcpServerFail: 0
lastQueryTime: Fri Apr 12 08:25:24 2013
lastDnsCode: 0
Average Time: 0.000341087 seconds
IP: 172.29.30.237
Status: Alive
udpSuccess: 0
tcpSuccess: 0
udpNoSuchName: 0
tcpNoSuchName: 0
udpTruncations: 0
tcpTruncations: 0
udpIOFailures: 0
tcpIOFailures: 0
udpTimeouts: 0
tcpTimeouts: 0
udpFailures: 0
tcpFailures: 0
udpServerFail: 0
tcpServerFail: 0
lastQueryTime: Thu Jan 1 01:00:00 1970
lastDnsCode: 65535
Average Time: 0 seconds
=======DNS Cache contents==========
Hdc.company.com=>dc.company.com 172.29.30.103
S_kerberos._tcp.default-first-site-name._sites.company.com=>dc.company.com:88:100:0
S_kerberos._tcp.company.com=>dc.company.com:88:100:0
S_ldap._tcp.default-first-site-name._sites.company.com=>dc.company.com:389:100:0
========Domain info map========
DC=home,DC=local
CN = company.com
SID = S-1-5-21-2229097442-58476736-706075715
TRUST_ATTRS = 0x20
TRUST_DIRECTION = 3
TRUST_TYPE = 2
NTLM NAME = HOME
LOCAL FOREST = YES
===============Network State===================
Site Map
company.com=>default-first-site-name
Domain Map
company.com
dc:dc.company.com
gc:dc.company.com
forest:company.com
state:alive
swept:5 mins ago
Domain Controllers
dc.company.com (172.29.30.103)
pinged:5 mins ago
state:up
ping:0.000909 secs
forest:company.com
nbhost:dc
site:default-first-site-name
flags:WCTKLG
Blocked Services: None
===============DC Statistics===================
dc.company.com
Last Success:Fri Apr 12 08:25:04 2013
Last Failure:Thu Jan 1 01:00:00 1970
Successes:7
Failures:0
===================adagent internals===================
Binding Table
$=>dc.company.com(company.com) disconnected
company.com=>dc.company.com(company.com) connected
===================Property values===================
adclient.autoedit: true
adclient.autoedit.nss: false
adclient.autoedit.pam: false
adclient.cache.expires: 60
adclient.cache.expires.group: 86400
adclient.cache.expires.user: 60
adclient.cache.refresh: 15
adclient.clients.socket: /var/centrifydc/daemon
adclient.clients.socket2: /var/centrifydc/daemon2
adclient.clients.threads: 15
adclient.clients.threads.max: 30
adclient.force.salt.lookup: true
adclient.get.builtin.membership: true
adclient.hash.allow: no-one
adclient.ldap.timeout: 11
adclient.ldap.timeout.search: 14
adclient.server.try.max: 200
adclient.sntp.enabled: false
adclient.use.all.cpus: true
adclient.use.s4u: false
adclient.user.lookup.cn: false
adclient.user.lookup.display: false
adclient.watch.enabled: false
gp.disable.all: true
krb5.support.alt.identities: false
log: INFO
logger.facility.*: local6
logger.facility.adclient.audit: local6
logger.facility.adnisd: local6
logger.queue.size: 1024
lrpc.timeout: 30
nss.nobody.gid: 99
nss.nobody.group: nobody
nss.nobody.uid: 99
nss.nobody.user: nobody
nss.program.ignore: useradd,adduser,groupadd,addgroup,userdel,groupdel,usermod,groupmod,chfn,chsh,chpasswd,gpasswd,pwconv,pwunconv,grpconv,grpunconv,redhat-config-users
nss.shell.nologin: /sbin/nologin
pam.allow.override: root
pam.user.ignore: root
secedit.system.access.maximumpasswordage: 0
system.access.MinimumPasswordAge: 0
system.access.maximumpasswordage: -1
Total;Count;Average;Name
Centrify DirectControl Status
Running in connected mode
Licensed Features: Enabled
SELinux status: disabled
amavis1.1.0
ccs1.0.0
clamav1.1.0
dcc1.1.0
dnsmasq1.1.1
evolution1.1.0
ipsec1.4.0
iscsid1.0.0
milter1.0.0
mozilla1.1.0
mplayer1.1.0
nagios1.1.0
oddjob1.0.1
pcscd1.0.0
postgrey1.1.0
prelude1.0.0
pyzor1.1.0
qemu1.1.2
razor1.1.0
ricci1.0.0
smartmon1.1.0
spamassassin1.9.0
virt1.0.0
zosremote1.0.0
06-12-2013 11:53 AM
A little late to this party, but I recently had this problem too and there are multiple settings that must be in place for group retrieval to work.
DNS must be properly configured so the FQDN of ISE is resolved correctly. Remember to include the reverse lookup zone as well. Ensure that the name-server defined on the ISE CLI points to this DNS. In my case I had two other servers defined which did not have the proper entries but were responding to LDAP/AD queries so the group query failed before the correct DNS was ever contacted. Also be sure the domain name is configured correctly on the ISE CLI to match the domain you've joined.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide