cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Register for SecureX webinars to learn about our newest integrations and features.

1119
Views
0
Helpful
2
Replies
robad
Beginner

ISE - have 2 domains, but need to login via specific one

Hi Guys,

I'll try to explain what I have and what I need.

 

In my company we have 2 Domains :

1. Regular

2. Power Domain [it's just a name]

both Domain have similar users, just with different extension, for example :

 

robert@regular.com

rebort@power.regular.com 

 

My ISE is connected to the 'Power' AD [See attached screenshot "connection"]

On the Whitelist Domains I have both Domain [see attached screenshot "power"]

 

I want to be able to login to my Network Devices with users from the regular domain.

I've created the needed conditions + policy sets, but, login into network devices isn't working.

 

Taking a look on the TACACS Live Logs I see that the issue is that when the user 'robert' is trying to access the device, the system see it as "rebort@power.regular.com".

If I'm trying to login to the device with writing on the username : "robert@regular.com" I'm able to access the device.

 

I want to be able to connect with just the name "robert" and the ISE default option will be the "regular" domain.

 

How can I solve it please ? what am I missing ?

 

Thanks in advance !

1 ACCEPTED SOLUTION

Accepted Solutions
ComputerRick
Cisco Employee

This is kind of an open question and without more details, doing the following could break other authentications.

There are some questions that I have about your other users and what authentications you're doing.  Especially if you have RADIUS and TACACS both occurring on the same join point, but need to have them behave differently.

 

This might be a use case for the Identity Rewrite feature.  On the AD Join Point, go to the Advanced Settings tab.  Scroll down to the Identity Rewrite portion, expand it, and set the [IDENTITY] to rewrite as [IDENTITY]@regular.com.

** The issue with this is that it will rewrite EVERY identity, RADIUS or TACACS, so if you're using this server for anything other, more design consideration would be needed.

View solution in original post

2 REPLIES 2
ComputerRick
Cisco Employee

This is kind of an open question and without more details, doing the following could break other authentications.

There are some questions that I have about your other users and what authentications you're doing.  Especially if you have RADIUS and TACACS both occurring on the same join point, but need to have them behave differently.

 

This might be a use case for the Identity Rewrite feature.  On the AD Join Point, go to the Advanced Settings tab.  Scroll down to the Identity Rewrite portion, expand it, and set the [IDENTITY] to rewrite as [IDENTITY]@regular.com.

** The issue with this is that it will rewrite EVERY identity, RADIUS or TACACS, so if you're using this server for anything other, more design consideration would be needed.

Yes ! it is working !

 

Thanks

Create
Recognize Your Peers
Content for Community-Ad
Additional Cisco Threat Response Resources


August's Community Spotlight Awards