Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3396
Views
0
Helpful
3
Replies

Cisco ISE - Identity resolution failed - ERROR_NO_SUCH_USER

Alina S
Level 1
Level 1

‎12-17-2021 04:46 AM

Hello!

We have:


- ISE 3.0.0.458
- AnyConnect
- ASA

Users connect with AnyConnect to the corporate network using a certificate. On ASA - We take the attribute CN from it (username-from-certificate CN).

Example: CN - Ivan Ivanov.

 

During authentication, ISE starts looking for a user in AD, but we get an error: Identity resolution failed - ERROR_NO_SUCH_USER.

 

24325 Resolving identity - Ivan Ivanov

24313 Search for matching accounts at join point - test.ru

24318 No matching account found in forest - test.ru

24322 Identity resolution detected no matching account

24352 Identity resolution failed - ERROR_NO_SUCH_USER

 

If you look for the user Ivan.ivanov (sAMAccountName) when adding attributes, then everything is fine. But if we search for the user Ivan Ivanov, we will get the error above.

 

Please tell me how we can solve this problem? After all, we cannot substitute the sAMAccountName attribute on the ASA (username-from-certificate).

sAMAccountName

 

The error is repeated for any parameters in Certificate Authentication Profile.

Preview file
79 KB
0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎12-17-2021 12:59 PM

It looks to me as if the certificate does not contain a UPN (user principal name) - like Ivan.Ivanov  or Ivan.Ivanov@somedomain

Have a look at the certificate (Subject and Subject Alternative Name) - you need to put something in there that ISE can use to lookup in AD. It won't work with the "Full Name" like Ivan Ivanov. By default, this is what Windows CA would put in the Subject CN. It's nice and human-readable, but not machine-readable.

One solution would be to change the cert template to add the UPN into the SAN. Re-issue the cert and test again.

0 Helpful

Alina S
Level 1
Level 1
In response to Arne Bier

‎12-18-2021 02:56 AM

We have UPN - Ivan.ivanov@test.ru, but with such settings on the ASA (username-from-certificate UPN) the ISE shows an error: 24325 Resolving Identity - <Unknown>.

 

Issuing new certificates is quite problematic, since there are many existing users But just in case, I'll ask right away.
If we use SAN, what attribute to specify in the command: username-from-certificate <?>

 

0 Helpful

Sri Harsha Dasari
Spotlight
Spotlight

‎02-05-2024 04:10 PM

Do you have multiple domains or forest trust to other domains on this AD join point? If so, did you the correct domain for authentication ?

Thanks, Sri.
0 Helpful
Customers Also Viewed These Support Documents