cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2053
Views
0
Helpful
2
Replies

ISE - have 2 domains, but need to login via specific one

robad
Level 1
Level 1

Hi Guys,

I'll try to explain what I have and what I need.

 

In my company we have 2 Domains :

1. Regular

2. Power Domain [it's just a name]

both Domain have similar users, just with different extension, for example :

 

robert@regular.com

rebort@power.regular.com 

 

My ISE is connected to the 'Power' AD [See attached screenshot "connection"]

On the Whitelist Domains I have both Domain [see attached screenshot "power"]

 

I want to be able to login to my Network Devices with users from the regular domain.

I've created the needed conditions + policy sets, but, login into network devices isn't working.

 

Taking a look on the TACACS Live Logs I see that the issue is that when the user 'robert' is trying to access the device, the system see it as "rebort@power.regular.com".

If I'm trying to login to the device with writing on the username : "robert@regular.com" I'm able to access the device.

 

I want to be able to connect with just the name "robert" and the ISE default option will be the "regular" domain.

 

How can I solve it please ? what am I missing ?

 

Thanks in advance !

1 Accepted Solution

Accepted Solutions

ComputerRick
Cisco Employee
Cisco Employee

This is kind of an open question and without more details, doing the following could break other authentications.

There are some questions that I have about your other users and what authentications you're doing.  Especially if you have RADIUS and TACACS both occurring on the same join point, but need to have them behave differently.

 

This might be a use case for the Identity Rewrite feature.  On the AD Join Point, go to the Advanced Settings tab.  Scroll down to the Identity Rewrite portion, expand it, and set the [IDENTITY] to rewrite as [IDENTITY]@regular.com.

** The issue with this is that it will rewrite EVERY identity, RADIUS or TACACS, so if you're using this server for anything other, more design consideration would be needed.

View solution in original post

2 Replies 2

ComputerRick
Cisco Employee
Cisco Employee

This is kind of an open question and without more details, doing the following could break other authentications.

There are some questions that I have about your other users and what authentications you're doing.  Especially if you have RADIUS and TACACS both occurring on the same join point, but need to have them behave differently.

 

This might be a use case for the Identity Rewrite feature.  On the AD Join Point, go to the Advanced Settings tab.  Scroll down to the Identity Rewrite portion, expand it, and set the [IDENTITY] to rewrite as [IDENTITY]@regular.com.

** The issue with this is that it will rewrite EVERY identity, RADIUS or TACACS, so if you're using this server for anything other, more design consideration would be needed.

Yes ! it is working !

 

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: