10-07-2021 12:51 AM - last edited on 03-09-2022 11:07 PM by smallbusiness
Hi Guys,
I'll try to explain what I have and what I need.
In my company we have 2 Domains :
1. Regular
2. Power Domain [it's just a name]
both Domain have similar users, just with different extension, for example :
My ISE is connected to the 'Power' AD [See attached screenshot "connection"]
On the Whitelist Domains I have both Domain [see attached screenshot "power"]
I want to be able to login to my Network Devices with users from the regular domain.
I've created the needed conditions + policy sets, but, login into network devices isn't working.
Taking a look on the TACACS Live Logs I see that the issue is that when the user 'robert' is trying to access the device, the system see it as "rebort@power.regular.com".
If I'm trying to login to the device with writing on the username : "robert@regular.com" I'm able to access the device.
I want to be able to connect with just the name "robert" and the ISE default option will be the "regular" domain.
How can I solve it please ? what am I missing ?
Thanks in advance !
Solved! Go to Solution.
10-08-2021 10:46 AM
This is kind of an open question and without more details, doing the following could break other authentications.
There are some questions that I have about your other users and what authentications you're doing. Especially if you have RADIUS and TACACS both occurring on the same join point, but need to have them behave differently.
This might be a use case for the Identity Rewrite feature. On the AD Join Point, go to the Advanced Settings tab. Scroll down to the Identity Rewrite portion, expand it, and set the [IDENTITY] to rewrite as [IDENTITY]@regular.com.
** The issue with this is that it will rewrite EVERY identity, RADIUS or TACACS, so if you're using this server for anything other, more design consideration would be needed.
10-08-2021 10:46 AM
This is kind of an open question and without more details, doing the following could break other authentications.
There are some questions that I have about your other users and what authentications you're doing. Especially if you have RADIUS and TACACS both occurring on the same join point, but need to have them behave differently.
This might be a use case for the Identity Rewrite feature. On the AD Join Point, go to the Advanced Settings tab. Scroll down to the Identity Rewrite portion, expand it, and set the [IDENTITY] to rewrite as [IDENTITY]@regular.com.
** The issue with this is that it will rewrite EVERY identity, RADIUS or TACACS, so if you're using this server for anything other, more design consideration would be needed.
10-10-2021 01:07 AM
Yes ! it is working !
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide