topic Re: Same username in two domains. in Network Access Control

Same username in two domains.

Janne K. — Mon, 20 Sep 2021 13:18:30 GMT

What would be the correct setup in ise for allowing accounts from different AD's but same username to log into my wireless.

E.G. tomparis@voyager.com exist in the first domain and tomparis@bridge.voyager.com exist in the second domain. Both with the same username.
The account belongs to the same person, and changing the username for one of them is in my case not an option because of other infrastructure that depend on it.

I have a fair amount of users that have the same 'problem' and want to find a more suitable solution than asking the user to actually write either @voyager.com or @bridge.voyager.com, as many users have no idea when to use the one or the other.

Would it work if i create two identical authentication policy where the first one looks into the voyager.com and i set the option to

'if auth fail' -> CONTINUE

'if User not found' -> CONTINUE

and then the second policy to look into the bridge.voyager.com with the options to

'if auth fail' -> REJECT

'if User not found' -> REJECT

I'm not sure if this works.

Re: Same username in two domains.

Nadia Bbz — Mon, 20 Sep 2021 14:18:21 GMT

Hello ;

it will be easy if you work with group, you create group in DC and you add users authorized to connect after that in authorization policy you add condition with external group created

Re: Same username in two domains.

howon — Mon, 20 Sep 2021 15:02:48 GMT

Do users have same password on both accounts? If so you can use identity rewrite to change the username before it gets forwarded to AD:

Re: Same username in two domains.

Janne K. — Tue, 21 Sep 2021 07:41:05 GMT

@Nadia BbzYes, we already implement groups, but ise is matching the user from the wrong AD.

@howonThey do not have the same password for the two accounts.

As a workaround right now i have changed the order in the Identity Source Sequences so that it checks the other domain first where the 'correct' user is.

Re: Same username in two domains.

Nadia Bbz — Tue, 21 Sep 2021 09:33:49 GMT

Hello ;

did you added all the domain in Administration -> identity Management -> External Identity Sources -> Active directory

in Identity Source Sequence have you added all domains in authentication search list

Re: Same username in two domains.

hslai — Mon, 27 Sep 2021 05:42:51 GMT

Try using the built-in All_AD_Join_Points or an AD scope.

Below are the results from my tests using the Advanced Tools > Test User for All Join Points

Test Username : test
ISE NODE : ise-1.demo.local
Scope : All_AD_Join_Points
Authentication Result : SUCCESS

Authentication Domain : demo.local
User found in Instance : demoAD
User Principal Name : test@demo.local
User Distinguished Name : CN=test,CN=Users,DC=demo,DC=local

Groups : 2 found.
Attributes : 32 found.

Authentication time : 117 ms.
Groups fetching time : 2 ms.
Attributes fetching time : 5 ms.

Processing Steps:
05:38:02:717: Resolving identity - test
05:38:02:717: Search for matching accounts at join point - demo.local
05:38:02:723: Single matching account found in forest - demo.local
05:38:02:723: Search for matching accounts at join point - ise.local
05:38:02:729: Single matching account found in forest - ise.local
05:38:02:729: Identity resolution detected multiple matching accounts
05:38:02:738: RPC Logon request succeeded - test@demo.local
05:38:02:833: RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,test@ise.local

Test Username : test
ISE NODE : ise-1.demo.local
Scope : All_AD_Join_Points
Authentication Result : SUCCESS

Authentication Domain : ise.local
User found in Instance : iseAD
User Principal Name : test@ise.local
User Distinguished Name : CN=test,CN=Users,DC=ise,DC=local

Groups : 2 found.
Attributes : 32 found.

Authentication time : 61 ms.
Groups fetching time : 11 ms.
Attributes fetching time : 6 ms.

Processing Steps:
05:39:14:866: Resolving identity - test
05:39:14:866: Search for matching accounts at join point - demo.local
05:39:14:873: Single matching account found in forest - demo.local
05:39:14:873: Search for matching accounts at join point - ise.local
05:39:14:879: Single matching account found in forest - ise.local
05:39:14:879: Identity resolution detected multiple matching accounts
05:39:14:916: RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,test@demo.local
05:39:14:926: RPC Logon request succeeded - test@ise.local

Re: Same username in two domains.

Janne K. — Mon, 27 Sep 2021 07:47:48 GMT

I do have a custom AD scope that has both blue.red.com and red.com in the authentication search list.

But in my case it never checks the blue.red.com domain if it finds the username in the red.com domain.

My workaround was to change the order in which ISE looks at the domains.

The perfect solution for me would be ISE looking up both domains and then using the one that authenticates successfull,
I just dont see any way to get that working in my setup.