cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5660
Views
8
Helpful
5
Replies

ISE with AD Integration, Group retrieval

Hello Dears,

I have integrated ISE with Active Directory Domain and everything went fine, but when I tried to retrieve the groups from the Domain, I didn't get all Groups, many groups are missing and didn't appear on the ISE.

is there any additional step on the Domain or ISE to do, and slove the issue?

Thanks for your help

Ibrahim

5 Replies 5

harvisin
Level 3
Level 3

Hello,

As per my knowledge if you are facing such issue thn you might have missed a step in the process of integration of ISE and AD.

For your reference, please refer to the link below ehcih might help you

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1059011

This link will provide you the step by step guide on how to integrate ISE with AD.

I hope this might help you.

jrabinow
Level 7
Level 7

When select groups from the directory, what Domain and Filter do you use?

shouldnt using a wildcard '*' return at least the groups in the root of the domain?  I too am having this issue.  I am unable to pull any groups at all.  I am concerned that my AD naming convention could be at play; as I used a hyphen in my server name, and all caps for part of the domain name:

my-server.DOMAIN.local

that being said, doing a detailed connection test returns no problems. 

same issue, domain group pull retrieves zero groups from my DC.

no error messages in ISE or DC event logs.

Using single DC users e.g. for radius login events works just fine.

I guess some DC right setting is missing to make it work?

My DC server has a default setup with no fancy customization.

appreciate any help on this...

Edit: Here is an example of a successful Test Connection Result with Domain:

adinfo (CentrifyDC 4.5.0-357)

Host Diagnostics

  uname: Linux ise 2.6.18-274.17.1.el5PAE #1 SMP Wed Jan 4 22:49:48 EST 2012 i686

  OS: Red Hat Enterprise Linux Server

  Version: 5.4 (Tikanga)

  Number of CPUs: 2

IP Diagnostics

  Local host name: ise

  Local IP Address: 172.29.30.238

  FQDN host name:ise.30.29.172.in-addr.arpa

Domain Diagnostics

  Domain: company.com

  Subnet site: default-first-site-name

    DNS query for: _ldap._tcp.company.com

    Found SRV records:

      dc.company.com:389

  Testing Active Directory connectivity:

    Domain Controller: dc.company.com

      ldap:      389/tcp - good

      ldap:      389/udp - good

      smb:       445/tcp - good

      kdc:        88/tcp - good

      kpasswd:   464/tcp - good

      ntp:       123/udp - good

  Domain Controller: dc.company.com:389

    Domain controller type: Windows 2008 R2

    Domain Name:            company.com

    isGlobalCatalogReady:   TRUE

    domainFunctionality:           4 = (DS_BEHAVIOR_WIN2008_R2)

    forestFunctionality:           4 = (DS_BEHAVIOR_WIN2008_R2)

    domainControllerFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)

  Forest Name: company.com

    DNS query for: _gc._tcp.company.com

  Testing Active Directory connectivity:

    Global Catalog: dc.company.com

      gc:       3268/tcp - good

  Domain Controller: dc.company.com:3268

    Domain controller type: Windows 2008 R2

    Domain Name:            company.com

    isGlobalCatalogReady:   TRUE

    domainFunctionality:           4 = (DS_BEHAVIOR_WIN2008_R2)

    forestFunctionality:           4 = (DS_BEHAVIOR_WIN2008_R2)

    domainControllerFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)

  Forest Name: company.com

Retrieving zone data from company.com

Computer Account Diagnostics

  Joined as: ise

  Trusted for Delegation: false

  Use DES Key Only: false

  Key Version: 2

  Service Principal Names: nfs/ise.company.com

                           nfs/ise

                           http/ise.company.com

                           http/ise

                           host/ise.company.com

                           host/ise

                           ftp/ise.company.com

                           ftp/ise

                           cifs/ise.company.com

                           cifs/ise

System Diagnostic

=======DNS Servers State==========

DNS Status: Up

=======DNS Server Info=======

Last Sweep:    Thu Apr 11 23:20:23 2013

Fast Sweeps:   1

Deep Sweeps:   0

Okay Sweeps:   1

Failed Sweeps: 0

Cache Hits:    44

Cache Misses:  4

DNS Flushes:   0

=======DNS Server List=======

IP:              172.29.30.103

Status:          Alive

udpSuccess:      16

tcpSuccess:      1

udpNoSuchName:   0

tcpNoSuchName:   0

udpTruncations:  0

tcpTruncations:  0

udpIOFailures:   0

tcpIOFailures:   0

udpTimeouts:     0

tcpTimeouts:     0

udpFailures:     0

tcpFailures:     0

udpServerFail:   0

tcpServerFail:   0

lastQueryTime:   Fri Apr 12 08:25:24 2013

lastDnsCode:     0

Average Time:    0.000341087 seconds

IP:              172.29.30.237

Status:          Alive

udpSuccess:      0

tcpSuccess:      0

udpNoSuchName:   0

tcpNoSuchName:   0

udpTruncations:  0

tcpTruncations:  0

udpIOFailures:   0

tcpIOFailures:   0

udpTimeouts:     0

tcpTimeouts:     0

udpFailures:     0

tcpFailures:     0

udpServerFail:   0

tcpServerFail:   0

lastQueryTime:   Thu Jan  1 01:00:00 1970

lastDnsCode:     65535

Average Time:    0 seconds

=======DNS Cache contents==========

Hdc.company.com=>dc.company.com 172.29.30.103

S_kerberos._tcp.default-first-site-name._sites.company.com=>dc.company.com:88:100:0

S_kerberos._tcp.company.com=>dc.company.com:88:100:0

S_ldap._tcp.default-first-site-name._sites.company.com=>dc.company.com:389:100:0

========Domain info map========

DC=home,DC=local

    CN              = company.com

    SID             = S-1-5-21-2229097442-58476736-706075715

    TRUST_ATTRS     = 0x20

    TRUST_DIRECTION = 3

    TRUST_TYPE      = 2

    NTLM NAME       = HOME

    LOCAL FOREST    = YES

===============Network State===================

Site Map

company.com=>default-first-site-name

Domain Map

company.com

dc:dc.company.com

gc:dc.company.com

forest:company.com

state:alive

swept:5 mins ago

Domain Controllers

dc.company.com (172.29.30.103)

pinged:5 mins ago

state:up

ping:0.000909 secs

forest:company.com

nbhost:dc

site:default-first-site-name

flags:WCTKLG

Blocked Services: None

===============DC Statistics===================

dc.company.com

Last Success:Fri Apr 12 08:25:04 2013

Last Failure:Thu Jan  1 01:00:00 1970

Successes:7

Failures:0

===================adagent internals===================

Binding Table

$=>dc.company.com(company.com) disconnected

company.com=>dc.company.com(company.com) connected

===================Property values===================

adclient.autoedit: true

adclient.autoedit.nss: false

adclient.autoedit.pam: false

adclient.cache.expires: 60

adclient.cache.expires.group: 86400

adclient.cache.expires.user: 60

adclient.cache.refresh: 15

adclient.clients.socket: /var/centrifydc/daemon

adclient.clients.socket2: /var/centrifydc/daemon2

adclient.clients.threads: 15

adclient.clients.threads.max: 30

adclient.force.salt.lookup: true

adclient.get.builtin.membership: true

adclient.hash.allow: no-one

adclient.ldap.timeout: 11

adclient.ldap.timeout.search: 14

adclient.server.try.max: 200

adclient.sntp.enabled: false

adclient.use.all.cpus: true

adclient.use.s4u: false

adclient.user.lookup.cn: false

adclient.user.lookup.display: false

adclient.watch.enabled: false

gp.disable.all: true

krb5.support.alt.identities: false

log: INFO

logger.facility.*: local6

logger.facility.adclient.audit: local6

logger.facility.adnisd: local6

logger.queue.size: 1024

lrpc.timeout: 30

nss.nobody.gid: 99

nss.nobody.group: nobody

nss.nobody.uid: 99

nss.nobody.user: nobody

nss.program.ignore: useradd,adduser,groupadd,addgroup,userdel,groupdel,usermod,groupmod,chfn,chsh,chpasswd,gpasswd,pwconv,pwunconv,grpconv,grpunconv,redhat-config-users

nss.shell.nologin: /sbin/nologin

pam.allow.override: root

pam.user.ignore: root

secedit.system.access.maximumpasswordage: 0

system.access.MinimumPasswordAge: 0

system.access.maximumpasswordage: -1

Total;Count;Average;Name

Centrify DirectControl Status

  Running in connected mode

Licensed Features: Enabled

SELinux status:                 disabled

amavis1.1.0

ccs1.0.0

clamav1.1.0

dcc1.1.0

dnsmasq1.1.1

evolution1.1.0

ipsec1.4.0

iscsid1.0.0

milter1.0.0

mozilla1.1.0

mplayer1.1.0

nagios1.1.0

oddjob1.0.1

pcscd1.0.0

postgrey1.1.0

prelude1.0.0

pyzor1.1.0

qemu1.1.2

razor1.1.0

ricci1.0.0

smartmon1.1.0

spamassassin1.9.0

virt1.0.0

zosremote1.0.0

A little late to this party, but I recently had this problem too and there are multiple settings that must be in place for group retrieval to work.

DNS must be properly configured so the FQDN of ISE is resolved correctly. Remember to include the reverse lookup zone as well. Ensure that the name-server defined on the ISE CLI points to this DNS. In my case I had two other servers defined which did not have the proper entries but were responding to LDAP/AD queries so the group query failed before the correct DNS was ever contacted. Also be sure the domain name is configured correctly on the ISE CLI to match the domain you've joined.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: