cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

417
Views
0
Helpful
3
Replies
Enthusiast

to use DN instead of AD user logon name with rewrite rule..

hi all

i want to ask about identity rewrite rule.

in deployment, we are using ise 2.3 and we have integrated with AD and Stealthwatch pxGrid.

AD userlogon name info  consist from numbers . that's why, it seems this numbers on Stealtwatch as username. and we want to see  AD distinguished name as username on ISE live log.and we want to send this username info to Stealthwatch.

For example :    AD user logon name : 123456

                          first name : murat

                          last name : gok

                          distinguished name : murat gok

can i do this request with identity rewrite rule. ?

thanks in advance

murat

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: to use DN instead of AD user logon name with rewrite rule..

No. The Identity Rewrite [in Active Directory > Advanced Settings] is transform the input usernames (based on the existing characters) into those suitable for looking them up in AD, but nowhere used to derive sAMAccountName -> display name.

If using the regular authentication (i.e. password-based), then the user identity is the username set by the DOT1X supplicants. If using certificate-base authentication, then the user identity is the certificate attribute selected by the certificate authentication profile used.

3 REPLIES 3
Cisco Employee

Re: to use DN instead of AD user logon name with rewrite rule..

No. The Identity Rewrite [in Active Directory > Advanced Settings] is transform the input usernames (based on the existing characters) into those suitable for looking them up in AD, but nowhere used to derive sAMAccountName -> display name.

If using the regular authentication (i.e. password-based), then the user identity is the username set by the DOT1X supplicants. If using certificate-base authentication, then the user identity is the certificate attribute selected by the certificate authentication profile used.

Enthusiast

Re: to use DN instead of AD user logon name with rewrite rule..

hi

thanks for info.

i asked the this subject  to lancopesupport , considering that it can be parse as username by lancope.

they said that it can do it by ISE identity rewrite.

but i think, it can do it by ISE PIC syslog sender service. we can do parsing according to submitted logs. because we are using custom syslog parsing template with regex. for user ip mapping.

do you have any suggestion in this subject?

thanks

Highlighted
Cisco Employee

Re: to use DN instead of AD user logon name with rewrite rule..

Please ask StealthWatch support team to clarify how it can be done by ISE.

Although I've not done it myself, I've seen SMC fetching the full name via LDAP. See the section "Active Directory Configuration" in StealthWatch 6.8 Appliance Administration — Networking fun