topic Re: Cisco ISE (user certificate ambiguity error) in Network Access Control

Cisco ISE (user certificate ambiguity error)

Jay233 — Thu, 26 Mar 2020 11:04:25 GMT

Hi All,

Receiving an authentication error in ISE (2.x) relating to user certificate ambiguity.

Setup - AD Join connector configured for user and machine in several domains.

Clients - Win 10 - EAP-TLS for machine and user network access.

Issue:

Single domain user account in DomainA or DomainB works fine, but when trying to auth a client with identical user accounts in DomainA&DomainB authentication is rejected due to multiple matching records "resolve certificate identity ambiguity using certificates match".

Question - How to accommodate a user in multiple domains for authentication?

Cheers,

Re: Cisco ISE (user certificate ambiguity error)

Cristian Matei — Thu, 26 Mar 2020 13:13:14 GMT

Hi,

1. The simplest solution would be to create some conditions in your authentication policy, thus based on the attributes of the incoming RADIUS request, you know to which domain the user belongs to, and configure ISE to look for a specific join point.

2. Have you set the "Match Client Certificate against Certificate in Identity Store" to "Only to resolve Identity Ambiguity" or to "Always perform binary comparison"?

Also, take a look at this bug and upgrade to a proper version and patch level of ISE.

Regards,

Cristian Matei.

Re: Cisco ISE (user certificate ambiguity error)

Greg Gibbs — Fri, 27 Mar 2020 02:03:07 GMT

In addition to @Cristian Matei's comments, another way to resolve ambiguity issues when your have a user that exists in multiple domains would be to ensure you are using an identity value in your Certificate Authentication Profile that includes the domain name.

Typically, the CN would include just the computer or user name but options like UPN or Email would include the domain.

You would need to ensure, however, that the separate certificate templates in ADCS used to enrol both Computers and Users includes the value specified in the Cert Auth Profile.

Re: Cisco ISE (user certificate ambiguity error)

Jay233 — Fri, 27 Mar 2020 10:33:36 GMT

Hi Greg,
Is the below necessary?
Use Explicit UPN
To reduce ambiguity when matching user information against Active Directory's User-Principal-Name (UPN) attributes, you must configure Active Directory to use Explicit UPN. Using Implicit UPN can produce ambiguous results if two users have the same value for sAMAccountName.

To set Explicit UPN in Active Directory, open the Advanced Tuning page, and set the attribute REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\UseExplicitUPN to 1.

Re: Cisco ISE (user certificate ambiguity error)

Greg Gibbs — Sun, 29 Mar 2020 22:58:27 GMT

I'm no AD expert but, as I understand it, the advanced tuning for the Explicit UPN would be more for solving ambiguity issues within a single domain. I don't believe this would be required with your use case for multiple domains.

See the following link for more information about iUPN versus eUPN:

User Principle Names in AD

AFAIK, however, the UPN is not automatically generated for a computer account by default. If you intend to use the UPN value in the certificate for both Computers and Users, you will likely need to make sure the UPN attribute is set for the computer account during or after the domain join and before the certificate is enrolled so the value is populated in the certificate SAN.

Example: