12-10-2018 08:24 AM
Hi all,
got the following request from one of my customers: They want to use ISE for device administration and want to do authentication as well as authorization based on group membership local on ISE. The users are also stored within AD, and of course they are also a member of a certain groups within AD. AD is attached to ISE via LDAP.
Now they would like ISE to synchronize group membership between LDAP and ISE, which means, if a group membership in LDAP is changed, ISE should reflect this change in the local database as well.
The reason why they want to do it this way is to be independent from Active Directory availability. If AD is not reachable, proper authentication/authorization still should happen.
Is there someone out there already doing this? Of so, how?
Any comment is welcome.
Roland
Solved! Go to Solution.
12-10-2018 09:14 AM
12-10-2018 09:14 AM
12-10-2018 11:14 AM
I might be wrong here, but ACS had a feature that would allow to shadow the AD user credentials and create a local copy on ACS in case the AD connection was unavailable. That doesn't exist in ISE either.
I guess the onus is on the AD infrastructure to be 100% available :(
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide