Showing results for 
Search instead for 
Did you mean: 

Unable to access Sponsor portal with LDAP as a external identity

Hello Team,


Need your help.


Unable to access Sponsor portal with LDAP credentials.

configuration is correct. sponsor portal is working for AD & internal users but not for LDAP users 


Can anyone please help ??


Thanks in advanced.

3 Replies 3

Cisco Employee
Cisco Employee

One main difference between LDAP and AD or ISE internal user is ISE is not supporting nested LDAP group memberships.

Please ensure the user is a direct member of the LDAP group, which mapping to an ISE sponsor group.


Thanks for information.

Could you suggest where i will get those setting in LDAP server ??

I occasionally dabble in a bit of LDAP and I am always chuffed when things work. It's quite a complex thing to deal with and we are spoilt when dealing with AD (which hides all that LDAP stuff under the hood).

One tool I can recommend is AD Explorer from Microsoft SysInternals

Use this tool to bind to your LDAP/AD directory to see where things live and what attributes they have. I had to use this recently to figure out why things were failing when I switched my ISE AuthZ Condition from AD to LDAP and it kept failing. 


In my example below I was checking whether a user was a member of the AD Security Group called "ise-readonly". I could do it in two ways. In the first case I assigned the AD user's primary group to be "ise-readonly" which is something you probably can't always rely on. But in the second case, I managed to match the user's group membership by importing that group name from LDAP, and then using it in the AuthZ. The trick with the "memberOf" was that my LDAP setup config was not right to start with, and ISE was failing to read the LDAP Group table from AD.







Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: