I have found a bug in Cisco ISE Patch 9
In ISE 2.4 menu Administration/Identity Management/External Identity Source/, after installing the ISE 2.4 patch 9 it’s not possible to retrieve the groups of AD user
I’ve tried in with Kerberos, Lookup, MS-RPC, but the result is the same
Luckily, I have verified that this behavior does not affect the authentication and authorization process, so the policies are applied correctly.
That’s an environment that can easily be reproduced in a lab test:
You have to install ISE 2.4, join to AD, install patch 8, test the AD user, install patch 9, test the AD user and try to see what’s happening
I use this tool often, it's very useful to troubleshoot the user groups and attributes, and also to check the status of AD connection.
Yes, I was able to reproduce. Please open a TAC SR and have them reference CSCvq78503. May not be visible to you yet as it was just created. Unfortunately I do not see a workaround for this defect. Thank you for reporting it to us.
I also had this problem after installing patch 9.
I,m using Microsoft cmd line commands to find out group memberships for
machines and users....
examples: net group "Domain Computers" /domain | find "machine name" or net user xxxx /domain
waiting for patch 10 :)