So we have multiple ISE Servers with differing personas. I was having an issue with our new ISE setup not identifying AD Group Attributes when using them in Authorization rules.
We have 2- 3395 appliances running Admin and Monitoring/Troubleshooting Personas and 2- 3395 appliances running as Policy server personas. We are running v188.8.131.528 with the latest two patches.
I was unable to pull Active Directory Group Attributes in any of my Authorization rules. After Resyncing all the boxes with the Primary Administration box I was able to do this. There is no bug listings for this occurance nor do we have Smartnet to call support for other reasons. I thought this might be useful to someone who is having the same issue and is unable to figure it out with TAC
Under the deployment tab were all the nodes in sync? What did you do in order resync just apply the sync up (dont know the exact syntax) to force replication?
*Please rate helpful posts*
Absolutely. All units said in-sync after setting their personas.
Here is our layout:
ISE-ADM-01 Admin-Primary, Monitoring-Secondary
ISE-ADM-02 Admin-Secondary, Monitoring-Primary
ISE-PDP-01 Policy Only
ISE-PDP-02 Policy Only
I synced one at a time starting with ADM-02. After completing the other two boxes. Active Directory Attribs were pulled down when using them in the Ext Group within my Authz rules.
I have identified what causes this to happen.
This only happens if your setup has PDP servers not a part of your Admin and Troubleshooting boxes and you change the You must resync the PDP boxes to update the information it must not be updating automatically.
Hope this helps someone else I cannot create a bug id for this.