Hi all,

I've got a problem authenticating certain users via wired EAP TLS as they have AD accounts in multiple active directory domains - ISE complains about multiple matches found.
The problem is the username is taken from the certificate CN and is exactly the same in two separate AD domains. Is there a way to make ISE distinguish between the two, we have tried playing with Scope, etc but no luck so far.

Yes, been trying multiple things over the past few weeks to no avail. We strip the username from the CN field in the cert and look for a match in AD, however as it returns multiple matches the authentication is rejected. Tried using the SAN field and UPN but no luck yet, working with Cisco on this. We had deployed scopes to avoid searching in the AD domain that has a duplicate account but that is failing as well. Will post any success here.

It appears the authentication started working after we restarted services on the PAN node, it does not make sense to me why but I am following up with TAC. We also updated the server side certificates for PAN/PSN. I don't see how this would have helped... will post the solution if TAC can find out the root cause.