https://community.cisco.com/t5/network-access-control/cisco-ise-identity-resolution-failed-error-no-such-user/m-p/4520523#M571784 <P>Hello!</P><P>We have:</P><P><BR />- ISE&nbsp;<SPAN>3.0.0.458</SPAN><BR />- AnyConnect<BR />- ASA<BR /><BR /></P><P>Users connect with AnyConnect to the corporate network using a certificate. On ASA - We take the attribute CN from it (username-from-certificate CN).</P><P>Example: CN - Ivan Ivanov.</P><P>&nbsp;</P><P>During authentication, ISE starts looking for a user in AD, but we get an error: Identity resolution failed - ERROR_NO_SUCH_USER.</P><P>&nbsp;</P><P><SPAN>24325&nbsp;Resolving identity - Ivan Ivanov</SPAN></P><P><SPAN>24313&nbsp;Search for matching accounts at join point - test.ru</SPAN></P><P><SPAN>24318&nbsp;No matching account found in forest -&nbsp;test.ru</SPAN></P><P>24322 I<SPAN>dentity resolution detected no matching account</SPAN></P><P><SPAN>24352&nbsp;Identity resolution failed - ERROR_NO_SUCH_USER</SPAN></P><P>&nbsp;</P><P>If you look for the user Ivan.ivanov (sAMAccountName) when adding attributes, then everything is fine. But if we search for the user Ivan Ivanov, we will get the error above.</P><P>&nbsp;</P><P>Please tell me how we can solve this problem? After all, we cannot substitute the sAMAccountName attribute on the ASA (username-from-certificate).</P><P><SPAN>sAMAccountName</SPAN></P><P>&nbsp;</P><P><SPAN>The error is repeated for any parameters in Certificate Authentication Profile.</SPAN></P> Fri, 17 Dec 2021 12:46:16 GMT Alina S 2021-12-17T12:46:16Z https://community.cisco.com/t5/network-access-control/cisco-ise-identity-resolution-failed-error-no-such-user/m-p/4520523#M571784 <P>Hello!</P><P>We have:</P><P><BR />- ISE&nbsp;<SPAN>3.0.0.458</SPAN><BR />- AnyConnect<BR />- ASA<BR /><BR /></P><P>Users connect with AnyConnect to the corporate network using a certificate. On ASA - We take the attribute CN from it (username-from-certificate CN).</P><P>Example: CN - Ivan Ivanov.</P><P>&nbsp;</P><P>During authentication, ISE starts looking for a user in AD, but we get an error: Identity resolution failed - ERROR_NO_SUCH_USER.</P><P>&nbsp;</P><P><SPAN>24325&nbsp;Resolving identity - Ivan Ivanov</SPAN></P><P><SPAN>24313&nbsp;Search for matching accounts at join point - test.ru</SPAN></P><P><SPAN>24318&nbsp;No matching account found in forest -&nbsp;test.ru</SPAN></P><P>24322 I<SPAN>dentity resolution detected no matching account</SPAN></P><P><SPAN>24352&nbsp;Identity resolution failed - ERROR_NO_SUCH_USER</SPAN></P><P>&nbsp;</P><P>If you look for the user Ivan.ivanov (sAMAccountName) when adding attributes, then everything is fine. But if we search for the user Ivan Ivanov, we will get the error above.</P><P>&nbsp;</P><P>Please tell me how we can solve this problem? After all, we cannot substitute the sAMAccountName attribute on the ASA (username-from-certificate).</P><P><SPAN>sAMAccountName</SPAN></P><P>&nbsp;</P><P><SPAN>The error is repeated for any parameters in Certificate Authentication Profile.</SPAN></P> Fri, 17 Dec 2021 12:46:16 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-identity-resolution-failed-error-no-such-user/m-p/4520523#M571784 Alina S 2021-12-17T12:46:16Z https://community.cisco.com/t5/network-access-control/cisco-ise-identity-resolution-failed-error-no-such-user/m-p/4520771#M571795 <P>It looks to me as if the certificate does not contain a UPN (user principal name) - like Ivan.Ivanov&nbsp; or <A href="mailto:Ivan.Ivanov@somedomain" target="_blank">Ivan.Ivanov@somedomain</A></P> <P>Have a look at the certificate (Subject and Subject Alternative Name) - you need to put something in there that ISE can use to lookup in AD. It won't work with the "Full Name" like Ivan Ivanov. By default, this is what Windows CA would put in the Subject CN. It's nice and human-readable, but not machine-readable.</P> <P>One solution would be to change the cert template to add the UPN into the SAN. Re-issue the cert and test again.</P> Fri, 17 Dec 2021 20:59:57 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-identity-resolution-failed-error-no-such-user/m-p/4520771#M571795 Arne Bier 2021-12-17T20:59:57Z https://community.cisco.com/t5/network-access-control/cisco-ise-identity-resolution-failed-error-no-such-user/m-p/4520942#M571803 <P>We have UPN - <A href="mailto:Ivan.ivanov@test.ru" target="_blank" rel="noopener">Ivan.ivanov@test.ru</A>, but with such settings on the ASA (username-from-certificate UPN) the ISE shows an error: 24325 Resolving Identity - &lt;Unknown&gt;.</P><P>&nbsp;</P><P>Issuing new certificates is quite problematic, since there are many existing users <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> But just in case, I'll ask right away.<BR />If we use SAN, what attribute to specify in the command:&nbsp;username-from-certificate &lt;?&gt;</P><P>&nbsp;</P> Sat, 18 Dec 2021 10:56:57 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-identity-resolution-failed-error-no-such-user/m-p/4520942#M571803 Alina S 2021-12-18T10:56:57Z https://community.cisco.com/t5/network-access-control/cisco-ise-identity-resolution-failed-error-no-such-user/m-p/5013295#M587099 <P>Do you have multiple domains or forest trust to other domains on this AD join point? If so, did you the correct domain for authentication ?</P> Tue, 06 Feb 2024 00:10:19 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-identity-resolution-failed-error-no-such-user/m-p/5013295#M587099 Sri Harsha Dasari 2024-02-06T00:10:19Z