If the AD connection is defined as an Active Directory join point in ISE, why not using "Groups", instead of "memberOf"? If as an LDAP object, then why not as an Active Directory object?
The attribute "memberOf" does not include the primary group membership and also does not show membership from nested groups. Using "Groups" with the AD join points have no such limit.
I do not think it related to expired accounts.
... View more