topic ISE 1.1 EAP-TLS User Authentication in Multiforest in Network Access Control

ISE 1.1 EAP-TLS User Authentication in Multiforest

alex.dersch — Mon, 11 Mar 2019 02:14:54 GMT

Hello,

we are currently evaluating the ISE 1.1 in a multiforest environment and we have problems to authenticate users which based in other domains (domain2) then the ISE (domain) is based.

This is the setup:

In domain1 is a MSFT CA with OCSP, DC and ISE

In domain2 is a DC and the users

there is a two way trust between the domains.

This is my authentication scenario:

1. agent connect to a wireless network (ok)

2. client exchanges certificate information with ISE (ok)

3. ISE exchanges certificate status with CA (ok)

4. ISE extracts the subject Alternative Name from the certificate dersa@domain2.ch (ok)

5. ISE queries Active Directory store for the user dersa@domain2.ch (not ok fails with 22056 Subject not found)

in the log i can see the other forest (domain2) is not even queried to retrieve user data only domain1.

I could query the other domain during AD setup and was able to add groups from the other domain bet i could retrieve attributes of the user in domain2.

Any Ideas?

Regards

Alex

Extract from Log File

DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 executing request 'CAPIGetObjectByName' in thread 2951601040

DIAG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 doCAPIGetObjectByName: category=Person

name=dersa@domain2.ch

options=2

DEBUG <fd:34 CAPIGetObjectByName > dns.findsrv FindSrvFromDns(0): _kerberos._tcp.domain2.ch

DEBUG <fd:34 CAPIGetObjectByName > base.adagent.domaininfo rejecting domain domain2.ch. Blocked, not in DNS or our domain list

DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject ADNames:

dersa@domain2.ch#012name

dersa@domain2.ch

type=SAM domain=domain1.LAN#012

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(

sAMAccountName=dersa@domain2.ch

)), attrs 7e638646 (cacheOps=40f, GC=0)

DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 60, cutoff time 0, refresh 15, negative=true, cacheOps 40f

DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper.ad Cache expired 96fe94aa2a7249bca2f59766075e7859, CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN

DIAG <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.10:389 search base="DC=domain1,DC=lan" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(

sAMAccountName=dersa@domain2.ch

))"

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects

DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=96fe94aa2a7249bca2f59766075e7859>;CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN : update indexes No

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(

sAMAccountName=dersa@domain2.ch

)), attrs e4a3aa15 (cacheOps=40f, GC=1)

DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 40f

DIAG <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.9:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(

sAMAccountName=dersa@domain2.ch

))"

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects

DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=7c68c59bc09f4775a14d6a7f521e491c>;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes No

DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject: NotFound:dersa@domain2.ch Category:user

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache making negative response for Person userPrincipalName="

dersa@domain2.ch

" (GC=0)

DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=972f489502d74f49afdef7f38206e909>;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=domain1,DC=LAN : update indexes Yes

DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper

'dersa@domain2.ch'

is not a canonical name

DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 request 'CAPIGetObjectByName' complete DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 executing request 'CAPIGetObjectByName' in thread 2951601040
DIAG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 doCAPIGetObjectByName: category=Person name=dersa@domain2.ch options=2
DEBUG <fd:34 CAPIGetObjectByName > dns.findsrv FindSrvFromDns(0): _kerberos._tcp.domain2.ch
DEBUG <fd:34 CAPIGetObjectByName > base.adagent.domaininfo rejecting domain domain2.ch. Blocked, not in DNS or our domain list
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject ADNames: dersa@domain2.ch#012name: dersa@domain2.ch type=SAM domain=domain1.LAN#012
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch)), attrs 7e638646 (cacheOps=40f, GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 60, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper.ad Cache expired 96fe94aa2a7249bca2f59766075e7859, CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN
DIAG <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.10:389 search base="DC=domain1,DC=lan" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch))"
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=96fe94aa2a7249bca2f59766075e7859>;CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch)), attrs e4a3aa15 (cacheOps=40f, GC=1)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DIAG <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.9:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch))"
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=7c68c59bc09f4775a14d6a7f521e491c>;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject: NotFound:dersa@domain2.ch Category:user
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache making negative response for Person userPrincipalName="dersa@domain2.ch" (GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=972f489502d74f49afdef7f38206e909>;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=domain1,DC=LAN : update indexes Yes
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper 'dersa@domain2.ch' is not a canonical name
DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 request 'CAPIGetObjectByName' complete

ISE 1.1 EAP-TLS User Authentication in Multiforest

alex.dersch — Wed, 27 Jun 2012 17:35:50 GMT

I was now able to query user attributes from domain2, i had to provide the username in this format domain2\username. I believe this is the problem i am sending the username in the wrong format. If i would be able to modify the format from username@domain.ch to domain\username everything would be fine.

regards

alex

ISE 1.1 EAP-TLS User Authentication in Multiforest

Tarik Admani — Wed, 27 Jun 2012 17:45:56 GMT

Alex,

We need to see if the dns server is able to resolve the domain2, if you issue a nslookup for domain2 what do you show, do you receive any responses? I would start there and see what that turns up. Also what type of trust do you have enabled between domain1 and domain2, ISE uses kerberos to authenticate these users so we need to see if you have an external trust configured between these domains then authentication will fail since kerberos is not allowed. Please use a forest trust which allows kerberos and that should fix your issue.

If you were using acs 4.2 at one point then it would have worked because that uses ntlm auth.

Here is an article for reference:

http://setspn.blogspot.com/2009/09/ad-external-trusts-and-kerberos.html

Thanks,

Tarik Admani

ISE 1.1 EAP-TLS User Authentication in Multiforest

alex.dersch — Wed, 27 Jun 2012 17:54:42 GMT

Hello Tarik,

the trust type is forest Trust. As i mentioned, i was able to retrieve user attributes when i do it in the active directory configuration procedure. What matters at the moment is the format of the username. I have to send it as domai\username. But i can't achieve this with Binary Certificate Comparisation.

regards

alex

ISE 1.1 EAP-TLS User Authentication in Multiforest

Tarik Admani — Wed, 27 Jun 2012 18:05:12 GMT

Alex,

It looks like ISE is unable to contact the GC for domain2, are you able to resolve domain2? In the case you are able to resolve the name using netbios, now when you upn (xxx@xxx.xx) that requires dns to be operational since it looks up the dns domain and then sends the user request to the domain GC, my assumption is when you netbios it sends the request to domain1's GC and then it is able to authenticate the user through the trust. I am not an AD expert but I am assuming that is why one is working over the other.

When issue a dns query on the ISE cli for domain2 do you receive any GC's in the response?

Thanks

tarik admani

ISE 1.1 EAP-TLS User Authentication in Multiforest

alex.dersch — Wed, 27 Jun 2012 18:17:14 GMT

Tarik,

from the ISE cli i can nslookup domain2.lan and i get this result

nos-ch-wbn-ise1/admin# nslookup domain2.lan

Trying "domain2.lan"

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57373

;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 5

;; QUESTION SECTION:

;domain2.lan. IN ANY

;; ANSWER SECTION:

domain2.lan. 600 IN A 192.168.68.21

domain2.lan. 600 IN A 172.28.1.3

domain2.lan. 600 IN A 172.28.1.2

domain2.lan. 600 IN A 192.168.68.20

domain2.lan. 3600 IN NS labdc01.lab.lan.

domain2.lan. 3600 IN NS labdc02.lab.lan.

domain2.lan. 3600 IN NS labex01.lab.lan.

domain2.lan. 3600 IN NS bsdehepdc01.domain2.lan.

domain2.lan. 3600 IN NS bsdehepfs01.domain2.lan.

domain2.lan. 3600 IN NS mordor.softlink.ch.

domain2.lan. 3600 IN NS shire.softlink.ch.

domain2.lan. 3600 IN NS labex02.lab.lan.

domain2.lan. 3600 IN NS icm60.icm60domain.lan.

domain2.lan. 3600 IN NS bsfs02.domain2.lan.

domain2.lan. 3600 IN NS bsfs03.domain2.lan.

domain2.lan. 3600 IN SOA bsfs02.domain2.lan. admin.domain2.lan. 217091 900 600 86400 3600

;; ADDITIONAL SECTION:

labdc01.lab.lan. 3600 IN A 172.28.2.196

bsdehepdc01.domain2.lan. 311 IN A 192.168.68.20

bsdehepfs01.domain2.lan. 2771 IN A 192.168.68.21

bsfs02.domain2.lan. 1649 IN A 172.28.1.2

bsfs03.domain2.lan. 595 IN A 172.28.1.3

So i assume dns is working fine.

Do i have to see the GC of the trusted domain as well in the ISE Active Directory Configuration ?

thanks & regards

Alex

ISE 1.1 EAP-TLS User Authentication in Multiforest

Tarik Admani — Wed, 27 Jun 2012 18:27:22 GMT

The best thing at this point is to open a SR with TAC since the nslookup commands wont allow you to look for GCs through the cli.

if you are looking for a quick solution what you can do is configure the second domain as an ldap instance since you are using eap-tls. Then you can create and identity store sequence that will check AD then LDAP.

I did notice the following replies:

domain2.lan. 3600 IN NS mordor.softlink.ch.

domain2.lan. 3600 IN NS shire.softlink.ch.

I dont know why these servers are being sent in the response.

Thanks,

Tarik Admani

ISE 1.1 EAP-TLS User Authentication in Multiforest

alex.dersch — Wed, 27 Jun 2012 18:34:41 GMT

Hello Tarik,

those are external servers from our provider, i have to verify with them why this is like it is. At the moment i have multiple ldap in the production environment with my ACS.

I don't if i can open tac cases with eval versions.

i'll try

regards

Alex

ISE 1.1 EAP-TLS User Authentication in Multiforest

Tarik Admani — Sun, 01 Jul 2012 03:35:39 GMT

Alex,

We're you able to get the DNS info cleaned up.

Thanks