https://community.cisco.com/t5/network-access-control/multiple-matches-for-users-with-two-ad-accounts/m-p/4395517#M566990 <P>Currently we are using Subject Alternate Name, I think I can change this the Common Name to resolve the issue, is there a best practices or which fits best for that particular deployment.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Joe</P> Thu, 29 Apr 2021 14:35:29 GMT joeharb 2021-04-29T14:35:29Z https://community.cisco.com/t5/network-access-control/multiple-matches-for-users-with-two-ad-accounts/m-p/4395476#M566985 <P>We have specific users that have both an Admin account and a normal account.&nbsp; We are using EAP-TLS and have found that they fail authentication.&nbsp; ISE responds with a:</P><P>&nbsp;</P><TABLE border="0" cellpadding="3"><TBODY><TR><TD>&nbsp;</TD><TD>24324</TD><TD>Identity resolution detected multiple matching accounts</TD></TR><TR><TD>&nbsp;</TD><TD>24417</TD><TD>User's Groups retrieval from Active Directory failed</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>The radius user name is from the <A href="mailto:first.lastname@csiweb.com" target="_blank" rel="noopener">first.lastname@csiweb.com</A>.&nbsp; I am trying to determine what attributes are being retrieved that makes it think that the accounts are the same...the sAMAccount and UPN are different in AD.</P><P>Would the debug logs give me some of this information?</P><P>Thanks,</P><P>Joe</P> Thu, 29 Apr 2021 13:36:13 GMT https://community.cisco.com/t5/network-access-control/multiple-matches-for-users-with-two-ad-accounts/m-p/4395476#M566985 joeharb 2021-04-29T13:36:13Z https://community.cisco.com/t5/network-access-control/multiple-matches-for-users-with-two-ad-accounts/m-p/4395517#M566990 <P>Currently we are using Subject Alternate Name, I think I can change this the Common Name to resolve the issue, is there a best practices or which fits best for that particular deployment.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Joe</P> Thu, 29 Apr 2021 14:35:29 GMT https://community.cisco.com/t5/network-access-control/multiple-matches-for-users-with-two-ad-accounts/m-p/4395517#M566990 joeharb 2021-04-29T14:35:29Z https://community.cisco.com/t5/network-access-control/multiple-matches-for-users-with-two-ad-accounts/m-p/4396389#M567034 <P>CSCvu35802&nbsp;Shared email for AD users fail to retrieve groups,ISE shows multiple account found in forest</P> <P>might be what you are hitting.</P> Sat, 01 May 2021 05:58:12 GMT https://community.cisco.com/t5/network-access-control/multiple-matches-for-users-with-two-ad-accounts/m-p/4396389#M567034 hslai 2021-05-01T05:58:12Z https://community.cisco.com/t5/network-access-control/multiple-matches-for-users-with-two-ad-accounts/m-p/4397142#M567099 <P>Thanks for the response, in looking at the Bug, I don't know if I can change to UPN as the UPN reflects our internal domain&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/182356">@csi</a>.corp, while the username is @csiweb.com (from the Subject Alt Name).&nbsp; I am going to test with the Certificate profile change the Common Name as that seems to be unique.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Joe</P> Mon, 03 May 2021 16:28:24 GMT https://community.cisco.com/t5/network-access-control/multiple-matches-for-users-with-two-ad-accounts/m-p/4397142#M567099 joeharb 2021-05-03T16:28:24Z