03-14-2016 12:49 AM
hello team,
can you please help me if it's possible for ISE to retrieve the group membership information for the disabled account in AD?
As per documentation, EAP-TLS authentications checks if the user is disabled or locked out and the authentication fails if some of these conditions is met. Cisco ISE can retrieve user or machine groups from Active Directory after a successful authentication.
In our case, user is authenticated using the certificates, so in ISE reports we see the successful authentication event but unsuccessful authz (expected and the Customer is ok with it).
In ACS documentation it is said that it can retrieve group membership and attributes for the disabled account. Can ISE do something like that
03-14-2016 06:37 AM
This is likely changed due to ISE moved to the new AD connector implementation in ISE 1.3. I will unicast you the some relevant info. I would expect the same for ACS 5.8.
03-14-2016 06:54 AM
thank you very much for that. we have ISE 1.3, actually
03-14-2016 08:15 AM
an update for future reference - the Customer managed to retrieve the groups for disabled account using LDAP connector. it can be used as a workaround
03-14-2016 10:44 AM
Is it for reporting only? Anyhow, please continue on our direct email discussion and I will close this thread.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide