Solved: Cisco ISE 1.2 and AD Group

steelinquisitor · ‎01-02-2014

Hello,

I have Cisco ISE installed on my EXSi server for my test pilot. I have added several AD groups to ISE as well.

I have created an Authorization policy condition, which is WIRELESS_DOT1X_USERS (see screenshot)
Basically, I just duplicated the default Wireless_802.1X and added Network Access:EapAuthentication, Equals, EAP-TLS.

My problem is, I was unable to join the wireless network if I added my AD group to the Authorization policy (see screenshot). The user that I have is a member of WLAN-USERS. If I removed the AD group from the Authorization policy, the use is able to join the wireless network.

I attached the ISE logs screenshot as well. I checked the ISE, AD/NPS, WLC, laptop time and date, and they are all in synched.

I also have the WLC added as NPS client on my network.

I checked the AD log and what I found was the WLCs local management user trying to authenticate. It is supposed to be my wireless user credential not the WLC.

This is the log that I got from the AD/NPS

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: NULL SID

Account Name: admin

Account Domain: AAENG

Fully Qualified Account Name: AAENG\admin

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: -

Calling Station Identifier: -

NAS:

NAS IPv4 Address: 172.28.255.42

NAS IPv6 Address: -

NAS Identifier: RK3W5508-01

NAS Port-Type: -

NAS Port: -

RADIUS Client:

Client Friendly Name: RK3W5508-01

Client IP Address: 172.28.255.42

Authentication Details:

Connection Request Policy Name: Use Windows authentication for all users

Network Policy Name: -

Authentication Provider: Windows

Authentication Server: WIN-RSTMIMB7F45.aaeng.local

Authentication Type: PAP

EAP Type: -

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Reason Code: 16

Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Tarik Admani · ‎01-02-2014

Hi,

The problem is with the name ISE is choosing to perform the AD lookup. If you look in the ISE logs towards the bottom you will see the username that ISE is using (firstname lastname) to perform the AD lookup.

In your certificate template see which attribute containst the AD name (possibly dns name or email, or the RFC 822 NT principle name), go in your cerificate authentication profile and use that attribute for the username.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Tarik Admani · ‎01-02-2014

Hi,

The problem is with the name ISE is choosing to perform the AD lookup. If you look in the ISE logs towards the bottom you will see the username that ISE is using (firstname lastname) to perform the AD lookup.

In your certificate template see which attribute containst the AD name (possibly dns name or email, or the RFC 822 NT principle name), go in your cerificate authentication profile and use that attribute for the username.

Thanks,

Tarik Admani
*Please rate helpful posts*

steelinquisitor · ‎01-03-2014

Thank you Tarik,

I got my AD group working. What I did, I checked the user's certificate that is installed on the laptop then modified the ISE certificate authentication profile to "Subject Alternative Name". I had the ISE set to common name when I was having an issue.

I forgot to mentioned that I have to servers in my ISE test pilot. I have AD with NPS, and CA. These servers are Windows 2008 R2.

I am a little confuse about the attribute in certificate template you have mentioned. Is that located at Certificate Authority/server-name/Certificate Templates/Users? I am not sure where to look for that attribute on the CA server.

Tarik Admani · ‎01-03-2014

I am sorry, its not the certificate template, what I meant to say was the user's certificate. Been some long hours already on the third day of the year.

Thanks,

Tarik Admani
*Please rate helpful posts*

steelinquisitor · ‎01-03-2014

Thanks for clarifications

steelinquisitor · ‎01-03-2014

Also, I'm just wondering I have selected "cn" for my attributes on Administration/Identity Management/External Identity Source/Attributes

By default the Certificate Authentication Profile is set to Common Name. Before I had mine set to common name and it was not matching my certificate that I have on the users laptop. Just like I mentioned above when I switched it to Alternative Name, I was able to join the wireless network.

My question is what is the purpose of ISE attributes?
Right now my test users are able to join the WLAN, but my attribute is still "cn"

Sent from Cisco Technical Support iPhone App