300-715 Question #133: Real Exam Question with Answer & Explanation

Question

When configuring an authorization policy, an administrator cannot see specific Active Directory groups present in their domain to be used as a policy condition. However, other groups that are in the same domain are seen. What is causing this issue?

Options

• ACisco ISE only sees the built-in groups, not user created ones
• BThe groups are present but need to be manually typed as conditions
• CCisco ISE's connection to the AD join point is failing
• DThe groups are not added to Cisco ISE under the AD join point

Explanation

Specific Active Directory groups not appearing in Cisco ISE for authorization policy conditions, while others do, indicates that those groups have not been explicitly added to Cisco ISE under the Active Directory join point.

Common mistakes.

• A. Cisco ISE can see and utilize both built-in and user-created Active Directory groups, provided they are configured correctly within the ISE AD identity source.
• B. Active Directory groups used in authorization policies must be selectable from a dropdown or search interface in ISE; they cannot be manually typed as conditions because ISE needs to validate their existence and membership.
• C. If ISE's connection to the AD join point were failing, no Active Directory groups would be visible or usable, which contradicts the statement that 'other groups that are in the same domain are seen'.

Concept tested. Cisco ISE Active Directory group integration

Reference. https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0101.html#concept_14B157D063A449C0A72B28BBA29A1009

No community discussion yet for this question.