How to fix/Resolve the Cisco ISE Active directory group membership issue
How to fix/Resolve the Cisco ISE Active directory group membership issue
Problem
In this brief article, I will guide you through an issue related to Cisco ISE, where the external group membership fails to update when adding or removing new members. Consequently, when attempting to use the newly added users, an error message is encountered. Specifically, in this scenario involving Microsoft Active Directory, the following error message will be displayed upon logging in:
The root cause of this problem lies in the failure to update the SID values. Therefore, a manual update of the SID values is required to resolve this issue.
See the errorĀ message in the below picture for reference
Resolution
To address this issue, follow these steps:
- Navigate to the Administration section.
- Click on External Identity Sources.
After clicking on “External Identity Sources,” you will be presented with a list of all the external sources. In this specific case, Active Directory will be listed, along with the associated domain. To proceed, select the domain and click on the “Groups” option located on the right-hand side.
Once you have highlighted the “Groups” option, proceed to click on “Update SID Values.” This action will update the group membership within Active Directory (AD).
Once the values have been successfully updated, you should be all set with the new group. Give it a try now, and it should work without any issues.