Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2532
Views
10
Helpful
2
Replies

Cisco ISE 1.3 disable "Identity Resolve" step ?

Go to solution
marc.groenen
Level 1
Level 1

‎11-19-2015 04:11 AM - edited ‎03-10-2019 11:15 PM

Currently i am working for a customer with a Cisco ISE 1.3 deployment.

The Cisco AP's are currently authenticated through MAB, the customer wants to improve this i suggested to implement EAP-FAST instade of MAB for the AP's for a quick and easy fix.

I have this working in the test and production environment but i was cycling through the authentication process and found something strange.

I created a rule that if the Network Tunnel protocol is EAP-FAST the credentials are authenticated through Internal Users.

This works fine,the ISE recognises the flow and authenticatie's through Internal Users.

15041 Evaluating Identity Policy
15048 Queried PIP - Network Access.EapAuthentication
15048 Queried PIP - Network Access.EapTunnel
15004 Matched rule - EAP-FAST
15013 Selected Identity Source - Internal Users
24210 Looking up User in Internal Users IDStore - <<Username>>
24212 Found User in Internal Users IDStore
22037 Authentication Passed

Further down the path it decides to look the user up in Active Directory.

Since the user hasnt been created in the active directory it cant find it.

24432 Looking up user in Active Directory - <<Active Directory >> 
24325 Resolving identity - <<Username>>
24313 Search for matching accounts at join point - <<Active Directory >>
24318 No matching account found in forest - <<Active Directory >>
24322 Identity resolution detected no matching account
24352 Identity resolution failed - ERROR_NO_SUCH_USER
24412 User not found in Active Directory - <<Active Directory >>
15048 Queried PIP - <<Active Directory >>.ExternalGroups
15048 Queried PIP - Network Access.EapTunnel
15004 Matched rule - AP_EAPFAST
15016 Selected Authorization Profile - AP_Lan
11002 Returned RADIUS Access-Accept

So the authentication and authorisation is succesfull but it try's to resolve the user in the active directory.

I checked the authentication process for MAB and there i see the same error.

The MAC adress of the device used for MAB is also only added to the ISE so the authentication goes through Internal Users, authentication and authorisation is succesfull but ISE wants to resolve the user(MAC adress of device) in the Active Directory.

We also see this step for the EAP-TLS flow and in this case the resolving identity step offcorse is succesfull.

Is there some way i can disable the resolving of identity through AD when Internal User Group?(or globally?)

I did some searching and found this(LDAP User Lookup)

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1067288

When i look at our deployment there is nothing configured under LDAP.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7

‎11-19-2015 06:47 AM

If you have ANY rules in your authorization rules that use AD groups that are before your MAB or EAP-FAST rules, ISE will do a lookup, to see if it should match that rule. Put your MAB and EAP-FAST rules before any AD membership rules, and it won't do the lookup.

View solution in original post

2 Replies 2

Go to solution
jan.nielsen
Level 7
Level 7

‎11-19-2015 06:47 AM

If you have ANY rules in your authorization rules that use AD groups that are before your MAB or EAP-FAST rules, ISE will do a lookup, to see if it should match that rule. Put your MAB and EAP-FAST rules before any AD membership rules, and it won't do the lookup.

Go to solution
marc.groenen
Level 1
Level 1
In response to jan.nielsen

‎11-19-2015 07:21 AM

Awesome thanks!

0 Helpful
Customers Also Viewed These Support Documents