ISE and AD integration
zimskiz
Member Posts: 98 ■■□□□□□□□□
Does anyone knows why ISE cannot retrieve groups from the AD? I have successfully connect the ISE with AD (the checkbox is green). What tshoot steps do you recommend ? Test connection from ISE GUI, doesn't reveal anything wrong.
Comments
-
NVLady
Member Posts: 51 ■■□□□□□□□□
AD groups can be added to ISE. What version of ISE are you running? What steps are you following? What error messages do you get? -
Iristheangel
Mod Posts: 4,133 Mod
Happy to help you out:
Navigate to Administration>Identity Management>External Identity Sources and click on the your AD Domain, then Groups
Then click on Add>Select Groups From Directory:
From here, you can either filter by group name or just with * and pull up everything:
Check the box and click ok! Now you're ready to rock and roll.
If this doesn't work, it might be a permissions issue with the account you used. I remember you have to have the following permissions:Active Directory Integration with Cisco ISE 1.3 - Cisco
After you have that up and going, it's easy to create conditions based on groups. Condition if: <AD-Name>:ExternalGroups Equals <Groupname> -
aftereffector
Member Posts: 525 ■■■■□□□□□□
I'm willing to bet that it is a permissions issue with the AD account that ISE is using. (Source: I had this problem before too!)CCIE Security - this one might take a while... -
zimskiz
Member Posts: 98 ■■□□□□□□□□
I'm using 1.2. I'm trying to pull everything from AD, but the message is "no data available". THe account used is Administrator for AD join, so should have enough permission.
-
Iristheangel
Mod Posts: 4,133 Mod
This is something completely separate but I would highly highly highly recommend upgrading to ISE 2.0 or ISE 2.1. ISE 1.2 has already been announced as End-of-Life and they'll stop releasing maintenance releases in under a year for 1.2.
Is this production or a lab? -
nelson8403
Member Posts: 220 ■■■□□□□□□□
Does the SISAS use 1.4? I believe I also saw somewhere that they had some 2.0 version questions for ISE.
Did you verify the permissions on your AD account? Try a domain admin just to triple check permissions if possible. Are you using Kerberos authentication?Bachelor of Science, IT Security
Master of Science, Information Security and Assurance
CCIE Security Progress: Written Pass (06/2016), 1st Lab Attempt (11/2016) -
aftereffector
Member Posts: 525 ■■■■□□□□□□
Lab...learning for SISAS.
Oh, that makes sense. We're all kind of in the same boat there lol.
I'm still thinking it would be an AD permissions issue...CCIE Security - this one might take a while... -
Iristheangel
Mod Posts: 4,133 Mod
Hmm.. have you fully patched 1.2? For fun, try installing ISE 1.3 on the side of 1.2 and see if it has the same issue. I didn't have any AD issues with 1.2 back in the day. It was considerably less buggy than 1.1. Just slow to move around :P
-
zimskiz
Member Posts: 98 ■■□□□□□□□□
I will try today to install ISE2.0...version 1.2 was without any kind of patch.
-
zimskiz
Member Posts: 98 ■■□□□□□□□□
It was from ISE version 1.2. With ISE2.0 the groups are available now.
