Home
Certification Preparation
Cisco
CCNP
CCNP Security
ISE and AD integration
zimskiz
Does anyone knows why ISE cannot retrieve groups from the AD? I have successfully connect the ISE with AD (the checkbox is green). What tshoot steps do you recommend ? Test connection from ISE GUI, doesn't reveal anything wrong.
Find more posts tagged with
Comments
NVLady
AD groups can be added to ISE. What version of ISE are you running? What steps are you following? What error messages do you get?
Iristheangel
Happy to help you out:
Navigate to
Administration>Identity Management>External Identity Sources
and click on the your AD Domain, then Groups
Then click on Add>Select Groups From Directory:
From here, you can either filter by group name or just with * and pull up everything:
Check the box and click ok! Now you're ready to rock and roll.
If this doesn't work, it might be a permissions issue with the account you used. I remember you have to have the following permissions:
Active Directory Integration with Cisco ISE 1.3 - Cisco
After you have that up and going, it's easy to create conditions based on groups. Condition if: <AD-Name>:ExternalGroups Equals <Groupname>
TE1.JPG
TE2.JPG
TE3.jpg
aftereffector
I'm willing to bet that it is a permissions issue with the AD account that ISE is using. (Source: I had this problem before too!)
zimskiz
I'm using 1.2. I'm trying to pull everything from AD, but the message is "no data available". THe account used is Administrator for AD join, so should have enough permission.
Iristheangel
This is something completely separate but I would highly highly highly recommend upgrading to ISE 2.0 or ISE 2.1. ISE 1.2 has already been announced as End-of-Life and they'll stop releasing maintenance releases in under a year for 1.2.
Is this production or a lab?
zimskiz
Lab...learning for SISAS.
nelson8403
Does the SISAS use 1.4? I believe I also saw somewhere that they had some 2.0 version questions for ISE.
Did you verify the permissions on your AD account? Try a domain admin just to triple check permissions if possible. Are you using Kerberos authentication?
aftereffector
zimskiz
wrote:
»
Lab...learning for SISAS.
Oh, that makes sense. We're all kind of in the same boat there lol.
I'm still thinking it would be an AD permissions issue...
Iristheangel
Hmm.. have you fully patched 1.2? For fun, try installing ISE 1.3 on the side of 1.2 and see if it has the same issue. I didn't have any AD issues with 1.2 back in the day. It was considerably less buggy than 1.1. Just slow to move around :P
zimskiz
I will try today to install ISE2.0...version 1.2 was without any kind of patch.
zimskiz
It was from ISE version 1.2. With ISE2.0 the groups are available now.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
