cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1021
Views
0
Helpful
5
Replies
steelinquisitor
Beginner

Cisco ISE 1.2 and AD Group

Hello,

I have Cisco ISE installed on my EXSi server for my test pilot. I have added several AD groups to ISE as well.

I have created an Authorization policy condition, which is WIRELESS_DOT1X_USERS (see screenshot)
Basically, I just duplicated the default Wireless_802.1X and added Network Access:EapAuthentication, Equals, EAP-TLS.

My problem is, I was unable to join the wireless network if I added my AD group to the Authorization policy (see screenshot). The user that I have is a member of WLAN-USERS. If I removed the AD group from the Authorization policy, the use is able to join the wireless network.

I attached the ISE logs screenshot as well. I checked the ISE, AD/NPS, WLC, laptop time and date, and they are all in synched.

I also have the WLC added as NPS client on my network.

I checked the AD log and what I found was the WLCs local management user trying to authenticate. It is supposed to be my wireless user credential not the WLC.

This is the log that I got from the AD/NPS

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID:                              NULL SID

Account Name:                              admin

Account Domain:                              AAENG

Fully Qualified Account Name:          AAENG\admin

Client Machine:

Security ID:                              NULL SID

Account Name:                              -

Fully Qualified Account Name:          -

OS-Version:                              -

Called Station Identifier:                    -

Calling Station Identifier:                    -

NAS:

NAS IPv4 Address:                    172.28.255.42

NAS IPv6 Address:                    -

NAS Identifier:                              RK3W5508-01

NAS Port-Type:                              -

NAS Port:                              -

RADIUS Client:

Client Friendly Name:                    RK3W5508-01

Client IP Address:                              172.28.255.42

Authentication Details:

Connection Request Policy Name:          Use Windows authentication for all users

Network Policy Name:                    -

Authentication Provider:                    Windows

Authentication Server:                    WIN-RSTMIMB7F45.aaeng.local

Authentication Type:                    PAP

EAP Type:                              -

Account Session Identifier:                    -

Logging Results:                              Accounting information was written to the local log file.

Reason Code:                              16

Reason:                                        Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

1 ACCEPTED SOLUTION

Accepted Solutions
Tarik Admani
Advocate

Hi,

The problem is with the name ISE is choosing to perform the AD lookup. If you look in the ISE logs towards the bottom you will see the username that ISE is using (firstname lastname) to perform the AD lookup.

In your certificate template see which attribute containst the AD name (possibly dns name or email, or the RFC 822 NT principle name), go in your cerificate authentication profile and use that attribute for the username.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

5 REPLIES 5
Tarik Admani
Advocate

Hi,

The problem is with the name ISE is choosing to perform the AD lookup. If you look in the ISE logs towards the bottom you will see the username that ISE is using (firstname lastname) to perform the AD lookup.

In your certificate template see which attribute containst the AD name (possibly dns name or email, or the RFC 822 NT principle name), go in your cerificate authentication profile and use that attribute for the username.

Thanks,

Tarik Admani
*Please rate helpful posts*

Thank you Tarik,

I got my AD group working. What I did, I checked the user's certificate that is installed on the laptop then modified the ISE certificate authentication profile to "Subject Alternative Name". I had the ISE set to common name when I was having an issue.

I forgot to mentioned that I have to servers in my ISE test pilot. I have AD with NPS, and CA. These servers are Windows 2008 R2.

I am a little confuse about the attribute in certificate template you have mentioned. Is that located at Certificate Authority/server-name/Certificate Templates/Users? I am not sure where to look for that attribute on the CA server.

I am sorry, its not the certificate template, what I meant to say was the user's certificate. Been some long hours already on the third day of the year.

Thanks,

Tarik Admani
*Please rate helpful posts*

Thanks for clarifications

Also, I'm just wondering I have selected "cn" for my attributes on Administration/Identity Management/External Identity Source/Attributes

By default the Certificate Authentication Profile is set to Common Name. Before I had mine set to common name and it was not matching my certificate that I have on the users laptop. Just like I mentioned above when I switched it to Alternative Name, I was able to join the wireless network.

My question is what is the purpose of ISE attributes?
Right now my test users are able to join the WLAN, but my attribute is still "cn"

Sent from Cisco Technical Support iPhone App

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube