collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: ISE 1.4 EAP TLS failing - multiple accounts found for user  (Read 7076 times)

Offline gvoden

  • Cisco Newbie
  • *
  • Posts: 23
  • Reputation: 4
  • Certification: N/A
ISE 1.4 EAP TLS failing - multiple accounts found for user
« on: November 24, 2016, 11:16:47 AM »
Hi all,

I've got a problem authenticating certain users via wired EAP TLS as they have AD accounts in multiple active directory domains - ISE complains about multiple matches found.
The problem is the username is taken from the certificate CN and is exactly the same in two separate AD domains. Is there a way to make ISE distinguish between the two, we have tried playing with Scope, etc but no luck so far.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 398
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: ISE 1.4 EAP TLS failing - multiple accounts found for user
« Reply #1 on: November 27, 2016, 11:28:10 PM »
You will need to make it unambiguous to ISE by specifying domain in the username either in the domain\username or username@domain.com format. This can either be in the CN or possibly other attributes like UPN or SAN.

Offline gvoden

  • Cisco Newbie
  • *
  • Posts: 23
  • Reputation: 4
  • Certification: N/A
Re: ISE 1.4 EAP TLS failing - multiple accounts found for user
« Reply #2 on: November 28, 2016, 08:06:50 PM »
Yes, been trying multiple things over the past few weeks to no avail. We strip the username from the CN field in the cert and look for a match in AD, however as it returns multiple matches the authentication is rejected. Tried using the SAN field and UPN but no luck yet, working with Cisco on this. We had deployed scopes to avoid searching in the AD domain that has a duplicate account but that is failing as well. Will post any success here.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 398
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: ISE 1.4 EAP TLS failing - multiple accounts found for user
« Reply #3 on: November 30, 2016, 12:18:07 AM »
Did you try to pass domain name along with username to ISE? Are you saying even with the domain name in username, ISE still searches all domains for the user? Technically using AD Scope should work too unless you have multiple two-way trust to other domain and you can't disable search in those domain

Offline gvoden

  • Cisco Newbie
  • *
  • Posts: 23
  • Reputation: 4
  • Certification: N/A
Re: ISE 1.4 EAP TLS failing - multiple accounts found for user
« Reply #4 on: January 06, 2017, 01:07:37 PM »
It appears the authentication started working after we restarted services on the PAN node, it does not make sense to me why but I am following up with TAC. We also updated the server side certificates for PAN/PSN. I don't see how this would have helped... will post the solution if TAC can find out the root cause.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 398
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: ISE 1.4 EAP TLS failing - multiple accounts found for user
« Reply #5 on: January 08, 2017, 08:32:03 PM »
Yes.. Please keep us posted. We would certainly like to know what the issue is as it technically should work.

 

Related Topics

  Subject / Started by Replies Last post
10 Replies
20436 Views
Last post September 04, 2018, 08:20:52 PM
by MC
3 Replies
11375 Views
Last post September 03, 2014, 01:12:23 AM
by MC
1 Replies
5858 Views
Last post March 07, 2016, 11:10:44 PM
by MC
1 Replies
4707 Views
Last post March 12, 2017, 11:13:23 PM
by MC
0 Replies
5323 Views
Last post August 18, 2020, 01:52:07 PM
by yagneshchouhan

SimplePortal 2.3.7 © 2008-2024, SimplePortal