Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
869
Views
0
Helpful
2
Replies

Sync ISE local user groups with external groups via LDAP

Go to solution
rmueller@cisco.com
Cisco Employee
Cisco Employee

‎12-10-2018 08:24 AM

Hi all,

got the following request from one of my customers: They want to use ISE for device administration and want to do authentication as well as authorization based on group membership local on ISE. The users are also stored within AD, and of course they are also a member of a certain groups within AD. AD is attached to ISE via LDAP.

Now they would like ISE to synchronize group membership between LDAP and ISE, which means, if a group membership in LDAP is changed, ISE should reflect this change in the local database as well.

The reason why they want to do it this way is to be independent from Active Directory availability. If AD is not reachable, proper authentication/authorization still should happen.

Is there someone out there already doing this? Of so, how?

Any comment is welcome.

Roland

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-10-2018 09:14 AM

No, there is no option as such on the ISE to synchronize group membership.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-10-2018 09:14 AM

No, there is no option as such on the ISE to synchronize group membership.
0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎12-10-2018 11:14 AM

I might be wrong here, but ACS had a feature that would allow to shadow the AD user credentials and create a local copy on ACS in case the AD connection was unavailable.  That doesn't exist in ISE either.

I guess the onus is on the AD infrastructure to be 100% available :(

 

0 Helpful
Customers Also Viewed These Support Documents