topic Re: TEAP Failed User in Network Access Control

TEAP Failed User

Leonardo Santana — Fri, 09 Jan 2026 17:33:34 GMT

Hi,

Our customer is using 2xCisco ISE 3.4 P3 integrated with AD.

They have two domains xyz.com and aaa.com.

Cisco ISE is configured at the domain xyz.com

We are using TEAP for dot1x and the computer authentication is working. Only the user authentication is failling.

The computer certificate is using the as SAN the name.zyz.com and the user certificate is using the other domain user@aaa.com.

The user domain is an alias.

How ISE will look this? Because the user authentication is failling. The domain must be the same for users and computers?

Re: TEAP Failed User

Cristian Matei — Fri, 09 Jan 2026 19:27:56 GMT

Hi,

The two domains, xyzzy.com and aaa.com are totally separate domains, or part of a forest with trust in between?

ISE is integrated only with domain xyz.com?

The user certificate SAN is user@aaa.com?

SAN / Identity of computer and user don't need to be part of the same domain or have the same domain extension, it's a matter of proper integration and configuration on ISE side. Can you post a print-screen with the authentication failure message from ISE?

Thanks,

Cristian.

Re: TEAP Failed User

Leonardo Santana — Sat, 10 Jan 2026 17:25:18 GMT

Hi,

The two domains, xyzzy.com and aaa.com are totally separate domains, or part of a forest with trust in between?

The xyz.com is a domain and aaa.com is just an alias.

ISE is integrated only with domain xyz.com? Yes

The user certificate SAN is user@aaa.com? Yes

The aaa.com is not under allowed domains at Cisco ISE.

Re: TEAP Failed User

Cristian Matei — Sun, 25 Jan 2026 19:26:09 GMT

Hi,

@Leonardo Santana If main aaa.com is an alias for domain xyz.com, you need to use ISE Identity Rewrite feature for user authentication with SAN in format user@aaa.com to be successful. See here starting with page 668:

https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3.pdf

Thanks,

Cristian.