https://community.cisco.com/t5/network-access-control/radius-authentication-to-strip-domainname-com-from-user/m-p/3746824#M488220 <P>Hello,</P> <P>&nbsp;</P> <P>I have ISE VM 2.0.0.306 which is using RADIUS authentication just for AAA.</P> <P>&nbsp;</P> <P>I am having a certificate issue with our Palo Alto remote access VPN. When the client connects their VPN the firewall looks at the User Principal Name which is "username@domainname.com" in some cases it might be "username@other.domainname.com"</P> <P>&nbsp;</P> <P>The problem is the authentication doesn't work because the firewall is supposed to only send the username of the UPN when authenticating to LDAP. It should not be sending anything after the '@' symbol.&nbsp;</P> <P>&nbsp;</P> <P>If I send the VPN authentication request to ISE would it be possible for ISE to strip everything after the&nbsp;@ symbol and then&nbsp;authenticate against&nbsp;AD?</P> Wed, 14 Nov 2018 19:06:39 GMT waqas gondal 2018-11-14T19:06:39Z https://community.cisco.com/t5/network-access-control/radius-authentication-to-strip-domainname-com-from-user/m-p/3746824#M488220 <P>Hello,</P> <P>&nbsp;</P> <P>I have ISE VM 2.0.0.306 which is using RADIUS authentication just for AAA.</P> <P>&nbsp;</P> <P>I am having a certificate issue with our Palo Alto remote access VPN. When the client connects their VPN the firewall looks at the User Principal Name which is "username@domainname.com" in some cases it might be "username@other.domainname.com"</P> <P>&nbsp;</P> <P>The problem is the authentication doesn't work because the firewall is supposed to only send the username of the UPN when authenticating to LDAP. It should not be sending anything after the '@' symbol.&nbsp;</P> <P>&nbsp;</P> <P>If I send the VPN authentication request to ISE would it be possible for ISE to strip everything after the&nbsp;@ symbol and then&nbsp;authenticate against&nbsp;AD?</P> Wed, 14 Nov 2018 19:06:39 GMT https://community.cisco.com/t5/network-access-control/radius-authentication-to-strip-domainname-com-from-user/m-p/3746824#M488220 waqas gondal 2018-11-14T19:06:39Z https://community.cisco.com/t5/network-access-control/radius-authentication-to-strip-domainname-com-from-user/m-p/3746842#M488222 <P>Definitely. Check out:</P> <P><A title="ISE 2.0 Administrator Guide" href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20.pdf" target="_self">https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20.pdf</A></P> <P>&nbsp;</P> <P>Specifically "Identity Rewrite". You can put square brackets around any part of the identity you wish and then tokenize as you see fit. After ISE performs the changes you wish, it will then authenticate with that identity.</P> Wed, 14 Nov 2018 19:35:10 GMT https://community.cisco.com/t5/network-access-control/radius-authentication-to-strip-domainname-com-from-user/m-p/3746842#M488222 Nadav 2018-11-14T19:35:10Z https://community.cisco.com/t5/network-access-control/radius-authentication-to-strip-domainname-com-from-user/m-p/3746974#M488224 <P>Thanks!</P> <P>It addresses my issue but now I have a certificate problem. I pointed the firewall to ISE for Radius authentication of VPN users.</P> <P>ISE has a certificate form the issuing CA and so do the clients but the Firewall is saying there is a self signed cert in the chain when VPN users enter their credentials.</P> Wed, 14 Nov 2018 22:39:27 GMT https://community.cisco.com/t5/network-access-control/radius-authentication-to-strip-domainname-com-from-user/m-p/3746974#M488224 waqas gondal 2018-11-14T22:39:27Z https://community.cisco.com/t5/network-access-control/radius-authentication-to-strip-domainname-com-from-user/m-p/3746978#M488226 Suggest you open a separate thread and provide screenshot of your trusted certificates.<BR /><BR />Make sure client presented to endpoints is from a well know root. If you don’t have this and using your own PKI then the complete chain needs to be trusted on the clients.<BR /> Wed, 14 Nov 2018 22:44:04 GMT https://community.cisco.com/t5/network-access-control/radius-authentication-to-strip-domainname-com-from-user/m-p/3746978#M488226 Jason Kunst 2018-11-14T22:44:04Z