Lab Minutes Forum
Technical Discussion => Security => Topic started by: gvoden on November 24, 2016, 11:16:47 AM
-
Hi all,
I've got a problem authenticating certain users via wired EAP TLS as they have AD accounts in multiple active directory domains - ISE complains about multiple matches found.
The problem is the username is taken from the certificate CN and is exactly the same in two separate AD domains. Is there a way to make ISE distinguish between the two, we have tried playing with Scope, etc but no luck so far.
-
You will need to make it unambiguous to ISE by specifying domain in the username either in the domain\username or username@domain.com format. This can either be in the CN or possibly other attributes like UPN or SAN.
-
Yes, been trying multiple things over the past few weeks to no avail. We strip the username from the CN field in the cert and look for a match in AD, however as it returns multiple matches the authentication is rejected. Tried using the SAN field and UPN but no luck yet, working with Cisco on this. We had deployed scopes to avoid searching in the AD domain that has a duplicate account but that is failing as well. Will post any success here.
-
Did you try to pass domain name along with username to ISE? Are you saying even with the domain name in username, ISE still searches all domains for the user? Technically using AD Scope should work too unless you have multiple two-way trust to other domain and you can't disable search in those domain
-
It appears the authentication started working after we restarted services on the PAN node, it does not make sense to me why but I am following up with TAC. We also updated the server side certificates for PAN/PSN. I don't see how this would have helped... will post the solution if TAC can find out the root cause.
-
Yes.. Please keep us posted. We would certainly like to know what the issue is as it technically should work.