Cisco ISE 1.3 disable "Identity Resolve" step ?

marc.groenen — Mon, 11 Mar 2019 06:15:26 GMT

Currently i am working for a customer with a Cisco ISE 1.3 deployment.

The Cisco AP's are currently authenticated through MAB, the customer wants to improve this i suggested to implement EAP-FAST instade of MAB for the AP's for a quick and easy fix.

I have this working in the test and production environment but i was cycling through the authentication process and found something strange.

I created a rule that if the Network Tunnel protocol is EAP-FAST the credentials are authenticated through Internal Users.

This works fine,the ISE recognises the flow and authenticatie's through Internal Users.

15041 Evaluating Identity Policy
15048 Queried PIP - Network Access.EapAuthentication
15048 Queried PIP - Network Access.EapTunnel
15004 Matched rule - EAP-FAST
15013 Selected Identity Source - Internal Users
24210 Looking up User in Internal Users IDStore - <<Username>>
24212 Found User in Internal Users IDStore
22037 Authentication Passed

Further down the path it decides to look the user up in Active Directory.

Since the user hasnt been created in the active directory it cant find it.

24432 Looking up user in Active Directory - <<Active Directory >>
24325 Resolving identity - <<Username>>
24313 Search for matching accounts at join point - <<Active Directory >>
24318 No matching account found in forest - <<Active Directory >>
24322 Identity resolution detected no matching account
24352 Identity resolution failed - ERROR_NO_SUCH_USER
24412 User not found in Active Directory - <<Active Directory >>
15048 Queried PIP - <<Active Directory >>.ExternalGroups
15048 Queried PIP - Network Access.EapTunnel
15004 Matched rule - AP_EAPFAST
15016 Selected Authorization Profile - AP_Lan
11002 Returned RADIUS Access-Accept

So the authentication and authorisation is succesfull but it try's to resolve the user in the active directory.

I checked the authentication process for MAB and there i see the same error.

The MAC adress of the device used for MAB is also only added to the ISE so the authentication goes through Internal Users, authentication and authorisation is succesfull but ISE wants to resolve the user(MAC adress of device) in the Active Directory.

We also see this step for the EAP-TLS flow and in this case the resolving identity step offcorse is succesfull.

Is there some way i can disable the resolving of identity through AD when Internal User Group?(or globally?)

I did some searching and found this(LDAP User Lookup)

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1067288

When i look at our deployment there is nothing configured under LDAP.

If you have ANY rules in your

jan.nielsen — Thu, 19 Nov 2015 14:47:03 GMT

If you have ANY rules in your authorization rules that use AD groups that are before your MAB or EAP-FAST rules, ISE will do a lookup, to see if it should match that rule. Put your MAB and EAP-FAST rules before any AD membership rules, and it won't do the lookup.

Awesome thanks!

marc.groenen — Thu, 19 Nov 2015 15:21:37 GMT

Awesome thanks!

topic Awesome thanks! in Network Access Control

Cisco ISE 1.3 disable "Identity Resolve" step ?

If you have ANY rules in your

Awesome thanks!