cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
3397
Views
0
Helpful
3
Replies

Cisco ISE - Identity resolution failed - ERROR_NO_SUCH_USER

Alina S
Level 1
Level 1

Hello!

We have:


- ISE 3.0.0.458
- AnyConnect
- ASA

Users connect with AnyConnect to the corporate network using a certificate. On ASA - We take the attribute CN from it (username-from-certificate CN).

Example: CN - Ivan Ivanov.

 

During authentication, ISE starts looking for a user in AD, but we get an error: Identity resolution failed - ERROR_NO_SUCH_USER.

 

24325 Resolving identity - Ivan Ivanov

24313 Search for matching accounts at join point - test.ru

24318 No matching account found in forest - test.ru

24322 Identity resolution detected no matching account

24352 Identity resolution failed - ERROR_NO_SUCH_USER

 

If you look for the user Ivan.ivanov (sAMAccountName) when adding attributes, then everything is fine. But if we search for the user Ivan Ivanov, we will get the error above.

 

Please tell me how we can solve this problem? After all, we cannot substitute the sAMAccountName attribute on the ASA (username-from-certificate).

sAMAccountName

 

The error is repeated for any parameters in Certificate Authentication Profile.

3 Replies 3

Arne Bier
VIP
VIP

It looks to me as if the certificate does not contain a UPN (user principal name) - like Ivan.Ivanov  or Ivan.Ivanov@somedomain

Have a look at the certificate (Subject and Subject Alternative Name) - you need to put something in there that ISE can use to lookup in AD. It won't work with the "Full Name" like Ivan Ivanov. By default, this is what Windows CA would put in the Subject CN. It's nice and human-readable, but not machine-readable.

One solution would be to change the cert template to add the UPN into the SAN. Re-issue the cert and test again.

We have UPN - Ivan.ivanov@test.ru, but with such settings on the ASA (username-from-certificate UPN) the ISE shows an error: 24325 Resolving Identity - <Unknown>.

 

Issuing new certificates is quite problematic, since there are many existing users But just in case, I'll ask right away.
If we use SAN, what attribute to specify in the command: username-from-certificate <?>

 

Sri Harsha Dasari
Spotlight
Spotlight

Do you have multiple domains or forest trust to other domains on this AD join point? If so, did you the correct domain for authentication ?

Thanks, Sri.