ISE and AD integration

Does anyone knows why ISE cannot retrieve groups from the AD? I have successfully connect the ISE with AD (the checkbox is green). What tshoot steps do you recommend ? Test connection from ISE GUI, doesn't reveal anything wrong.

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

NVLady

AD groups can be added to ISE. What version of ISE are you running? What steps are you following? What error messages do you get?

Iristheangel

Happy to help you out:

Navigate to Administration>Identity Management>External Identity Sources and click on the your AD Domain, then Groups

Then click on Add>Select Groups From Directory:

From here, you can either filter by group name or just with * and pull up everything:

Check the box and click ok! Now you're ready to rock and roll.

If this doesn't work, it might be a permissions issue with the account you used. I remember you have to have the following permissions:Active Directory Integration with Cisco ISE 1.3 - Cisco

After you have that up and going, it's easy to create conditions based on groups. Condition if: <AD-Name>:ExternalGroups Equals <Groupname>

TE1.JPG

TE2.JPG

TE3.jpg

aftereffector

I'm willing to bet that it is a permissions issue with the AD account that ISE is using. (Source: I had this problem before too!)

zimskiz

I'm using 1.2. I'm trying to pull everything from AD, but the message is "no data available". THe account used is Administrator for AD join, so should have enough permission.

Iristheangel

This is something completely separate but I would highly highly highly recommend upgrading to ISE 2.0 or ISE 2.1. ISE 1.2 has already been announced as End-of-Life and they'll stop releasing maintenance releases in under a year for 1.2.

Is this production or a lab?

zimskiz

Lab...learning for SISAS.

nelson8403

Does the SISAS use 1.4? I believe I also saw somewhere that they had some 2.0 version questions for ISE.

Did you verify the permissions on your AD account? Try a domain admin just to triple check permissions if possible. Are you using Kerberos authentication?

aftereffector

zimskiz wrote: »

Lab...learning for SISAS.

Oh, that makes sense. We're all kind of in the same boat there lol.

I'm still thinking it would be an AD permissions issue...

Iristheangel

Hmm.. have you fully patched 1.2? For fun, try installing ISE 1.3 on the side of 1.2 and see if it has the same issue. I didn't have any AD issues with 1.2 back in the day. It was considerably less buggy than 1.1. Just slow to move around :P

zimskiz

I will try today to install ISE2.0...version 1.2 was without any kind of patch.

zimskiz

It was from ISE version 1.2. With ISE2.0 the groups are available now.