This is a quick article to walk you thru on an issue where external group membership for Cisco ISE does not get updated when you add or remove new members and you get an error message using the newly added users. in this case it is Microsoft Active Directory and below is the error message you will get when logging in
This is caused by SID values not being updated and you will need to manually update the SID values
Go to Administration and External Identity Sources
Once you click on the “External Identity Sources” It will list all external sources and in this case it is Active Directory and it will list domain, highlight the domain and choose groups on the right
Once you the ‘Groups’ has highlighted then click on ‘Update SID Values’ which update the group membership in AD
try again and you should be good to go – I hope this helps
