Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1199
Views
0
Helpful
7
Replies

Cisco ISE Active Directory

saxenanitesh8522
Level 4
Level 4

‎05-02-2018 12:32 AM - edited ‎02-21-2020 10:55 AM

Hi guys,


we have a issue where the AD has multiple forest but we are trying to authenticate only using one forest only.

what we seeing that where the user has one username in one main forest it works properly. but when the user has same username in two forest it keeps saying user not found in the AD and blocks his connection.


I have done the following already:-

1. in advanced only search in the authentication domain from the joined forest

2. in authentication domain un-checked use all active directory domains for authentication.

 

But regardless of this we are not able to get the user to authenticate.

 

Currently the ISE is 2.1 and Windows AD is 2016 which recently got upgraded. we are thinking it might be cause of that its not being compatible for the same.

Labels:
0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎05-02-2018 08:07 AM

Hi Nitesh,

Cisco ISE 2.1 release note here states only up to Server 2012 is supported, no specific mention of Windows Server 2016. This might explain your issue. It seems from ISE 2.2 Server 2016 is supported.

 

HTH

0 Helpful

saxenanitesh8522
Level 4
Level 4
In response to Rob Ingram

‎05-02-2018 09:26 AM

Dear RJI,

 

this is working in ISE 1.2 and Windows 2016 solution regardless of it.

 

It seems to be the issue with multiforest support which started after ISE 1.3.

 

What we have tested is the if user exists in both domain with one way trust to one of them domain it keep saying user is not found.

 

We even tried to remove the setting in ISE 2.1 where it make it behave the same like ISE 1.2.

 

Windows 2016 got migrated like last month, now what we getting to hear is that even Windows 2012 and ISE 2.1 this issue was present but people didn't highlight it.

 

It seems when we have same users in two domains its not able to query only one domain regardless if you put <domain>\<username> or username@<domain>.

0 Helpful

andrewswanson
Level 7
Level 7
In response to saxenanitesh8522

‎05-02-2018 12:48 PM

Hi. Could this issue be related to the bug below?

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc51692/?rfs=iqvred

 

I've not come across this issue myself so I don't know whether this is resolved in ISE versions later than 2.1

 

hth

Andy

0 Helpful

saxenanitesh8522
Level 4
Level 4
In response to andrewswanson

‎05-02-2018 11:25 PM

 

The query goes to AD first but since it has two entries for the particular user it and the first user displayed is only the contact so it doesn’t move to the other user to check. So the ISE get's confused between user type Contact or User in the Active Directory

 

0 Helpful

Aravind Ravichandran
Level 3
Level 3
In response to saxenanitesh8522

‎05-03-2018 06:11 AM

Hi Nitesh,

Are you trying to achieve User authentication for endpoints? 

-Aravind
0 Helpful

saxenanitesh8522
Level 4
Level 4
In response to Aravind Ravichandran

‎05-03-2018 07:19 AM

this is with regards to user authentication. where if there is duplicate account (user and contact) cisco ise is not able to authenticate the clients in Version 2.1.

I am verifying if its a version issue as its working 1.2 without any issue.

0 Helpful

Aravind Ravichandran
Level 3
Level 3
In response to saxenanitesh8522

‎05-03-2018 09:42 PM

Are you using native supplicant or NAM for authentication?

Can you please attach the detailed radius log here?

-Aravind
0 Helpful
Customers Also Viewed These Support Documents