Hi,

Is it supported to use nested groups for authorization across multiple AD domains? For example:

Root domain: mycorp.local

 Child1: child1.mycorp.local

    Group: group1 (member of group2 in child2.mycorp.local)

 Child2: child2.mycorp.local

    Group: group2

ISE is joined to child2.mycorp.local. group2 is imported into the group list under the active directory domain and added as an external group in the admin groups. This a stock standard forest, no strange stuff has been done to cripple the trusts between domains.

When i'm trying to authenticate with a user from child1 which is a member of group1 authentication fails and the logs say its due to zero RBAC groups:

2020-04-24 16:48:35,476 ERROR [admin-http-pool12][] cpm.admin.infra.action.LoginAction -::::- An exception in Login Check() com.cisco.cpm.nsf.api.exceptions.NSFAuthenticationFailed: Authentication failed due to zero RBAC Groups.
2020-04-24 16:48:35,476 ERROR [admin-http-pool12][] cpm.admin.infra.action.LoginAction -::::- Can't save locale. loginSuccess: false
2020-04-24 16:48:35,480 ERROR [admin-http-pool12][] cisco.cpm.nsf.impl.UserIdentityManagement -::::- Cannot save LastAuthTime data. User edward is empty
2020-04-24 16:48:36,007 INFO [admin-http-pool15][] cpm.admin.infra.action.AdminAuthenticationAction -::::- In AdminAuthenticationAction.loadIdentityStores method called

I know the structure doesn't make much sense as i can add group1 in the admin groups but its due to internal policies. I've tested nested groups within the same domains which works fine but i guess doing that when crossing domain boundaries is a limitation. 

ISE version: ISE 2.6 (unpatched as i'm just running it in a lab)

Thanks,
Edward