Cisco Cisco Identity Services Engine 1.2 Guía Para Resolver Problemas
Solution
Modify permissions for ISE machine account on AD
The error in the detailed authentication report implies that the machine account of ISE on the
active directory, does not have sufficient privileges to fetch token groups.
active directory, does not have sufficient privileges to fetch token groups.
Note: The fix is done on the AD side as it is not able to give the correct privilege to the ISE
machine account. You may need to disconnect/reconnect ISE to AD after this.
machine account. You may need to disconnect/reconnect ISE to AD after this.
The current privileges of the machine account can be checked using the dsacls command as
shown in this example:
shown in this example:
Open a command prompt on your AD with administrator privilege.
The dsquery command can be used to find the Fully Qualified Domain Name (FQDN) of the ISE.
C:\Users\admin> dsquery computer -name lab-ise1 //here lab-ise1 is the hostname of the ISE
"CN=lab-ise1,CN=Computers,DC=ciscolab,DC=local"
The dsacls command can now be used to find the privileges assigned to the machine account
C:\Windows\system32> dsacls "CN=lab-ise1,CN=Computers,DC=ciscolab,DC=local" >>
C:\dsacl_output.txt
The output is long and therefore redirected into a text file dsacl_output.txt that can then be
opened and viewed properly in a text editor, such as notepad.
opened and viewed properly in a text editor, such as notepad.
If the account has permissions to read token groups, then it will have these entries in the
dsacl_output.txt file:
dsacl_output.txt file:
Open a command prompt on your AD with administrator privilege.
The dsquery command can be used to find the Fully Qualified Domain Name (FQDN) of the ISE.
C:\Users\admin> dsquery computer -name lab-ise1 //here lab-ise1 is the hostname of the ISE
"CN=lab-ise1,CN=Computers,DC=ciscolab,DC=local"
The dsacls command can now be used to find the privileges assigned to the machine account
C:\Windows\system32> dsacls "CN=lab-ise1,CN=Computers,DC=ciscolab,DC=local" >>
C:\dsacl_output.txt
If the permissions are not present, then it can be added using this command:
C:\Windows\system32>dsacls "CN=Computers,DC=ciscolab,DC=local" /I:T /G "lab-
ise1$":rp;tokenGroups
If the FQDN or exact group is not known, this command can be quickly run for the domain or OU
as per these commands:
as per these commands:
C:\Windows\system32>dsacls "DC=ciscolab,DC=local" /I:T /G "lab-ise1$":rp;tokenGroups
C:\Windows\system32>dsacls "OU=ExampleOU,DC=ciscolab,DC=local" /I:T /G "lab-
ise1$":rp;tokenGroups
The commands look for the host lab-ise1 in the entire domain or OU respectively.
Remember to replace the group and host name details in the commands with the corresponding
group and ISE name from your deployment. This command grants the ISE machine account the
privilege to read the token groups. It needs to be run on one domain controller only and should
replicate to other controllers automatically.
group and ISE name from your deployment. This command grants the ISE machine account the
privilege to read the token groups. It needs to be run on one domain controller only and should
replicate to other controllers automatically.
The issue can be resolved immediately by running the command on the domain controller
currently connected on ISE.
currently connected on ISE.