topic Re: Got the answer. But, really in Network Access Control

ISE authenticating AD users with only domain name included

stealthmode — Mon, 11 Mar 2019 06:01:59 GMT

Hi,

I am performing a migration from ACS to ISE. Both these devices use a Win 2012 Server as External Identity sources. The connection to the AD is made via LDAP. Here is a sample of what is happening on all the network devices:

N7K# test aaa group ACS test@xyz.com C!sc0@123

user has failed authentication

N7K# test aaa group ACS test C!sc0@123

user has been authenticated

N7K# test aaa group ISE test C!sc0@123

user has failed authentication

N7K# test aaa group ISE test@xyz.com C!sc0@123

user has been authenticated

The ACS results in a successful authentication only when [username] is given and fails when [username]@[domain] is entered.

The ISE results in a successful authentication only when [username]@[domain] is given and fails when just the [username] is entered.

Why is there a difference when both are using the same AD to authenticate against? Also, for information, the exact username in the AD is [username]@[domain] and the [domain] cannot be stripped. How do I make ISE ignore the “@[domain]” section? I want the ISE to consider only the [username]. Is this some setting that needs to be done on the AD or on the ISE? Please let me know.

Thanks for your help

Hi there,What you require can

Seb Rupik — Mon, 07 Sep 2015 10:01:04 GMT

Hi there,

What you require can be achieved with the Identity Re-Write settings in ISE.

Assuming you have an authentication policy which defines which Identity Store to use:

IF DEVICE is N7K THEN USE AD(xyz.com)

...this will rule will accept both [username] and [username]@[domain]. You then need to configure the Identity Re-Write:

Administration -> Identity Management -> Extenal Identity Sources -> Active Directory -> 'xyz.com'

Then under the 'Advanced' tab, scroll to the bottom for the 'Identity Re-Write' section.

Here you can define how usernames are handled. ISE by default will accept [username]@[domain], but if you want just [username] to be accepted add a rule like this:

If Identity Matches: [IDENTITY] re-write as : [IDENTITY]@xyz.com

...this will append the domain name and then pass the request onto AD.

cheers,

Seb.

You can define attributes

Tobias Svensson — Mon, 07 Sep 2015 10:06:34 GMT

You can define attributes that you reference under External Identity Sources->Your AD->Attributes.

You could change to SamAccountName here for instance, which is your username only instead of UserPrincipalName which is username@domain.

This is a useful bit of info,

stealthmode — Mon, 07 Sep 2015 10:51:53 GMT

This is a useful bit of info, but, like mentioned, I am using LDAP to connect to the AD. These Identity rewrite operations are not present under the LDAP section.

Can you help me here?

Got the answer. But, really

stealthmode — Mon, 07 Sep 2015 11:01:22 GMT

Got the answer. But, really thanks for this useful bit of info. 🙂

If its the LDAP connector

Tobias Svensson — Mon, 07 Sep 2015 11:02:19 GMT

If its the LDAP connector youre using you can specify 'cn' as 'Subject Name Attribute' instead under the General tab.

Re: Got the answer. But, really

jarjones — Thu, 04 Oct 2018 19:50:55 GMT

Hello abhsha,

How did you solve this? I am connecting the AD via LDAP as well.

Re: Got the answer. But, really

mcarassale — Thu, 30 Jul 2020 12:43:36 GMT

HI,

how did you solve this? im having the same issue