ā12-17-2021 04:46 AM
Hello!
We have:
- ISE 3.0.0.458
- AnyConnect
- ASA
Users connect with AnyConnect to the corporate network using a certificate. On ASA - We take the attribute CN from it (username-from-certificate CN).
Example: CN - Ivan Ivanov.
During authentication, ISE starts looking for a user in AD, but we get an error: Identity resolution failed - ERROR_NO_SUCH_USER.
24325 Resolving identity - Ivan Ivanov
24313 Search for matching accounts at join point - test.ru
24318 No matching account found in forest - test.ru
24322 Identity resolution detected no matching account
24352 Identity resolution failed - ERROR_NO_SUCH_USER
If you look for the user Ivan.ivanov (sAMAccountName) when adding attributes, then everything is fine. But if we search for the user Ivan Ivanov, we will get the error above.
Please tell me how we can solve this problem? After all, we cannot substitute the sAMAccountName attribute on the ASA (username-from-certificate).
sAMAccountName
The error is repeated for any parameters in Certificate Authentication Profile.
ā12-17-2021 12:59 PM
It looks to me as if the certificate does not contain a UPN (user principal name) - like Ivan.Ivanov or Ivan.Ivanov@somedomain
Have a look at the certificate (Subject and Subject Alternative Name) - you need to put something in there that ISE can use to lookup in AD. It won't work with the "Full Name" like Ivan Ivanov. By default, this is what Windows CA would put in the Subject CN. It's nice and human-readable, but not machine-readable.
One solution would be to change the cert template to add the UPN into the SAN. Re-issue the cert and test again.
ā12-18-2021 02:56 AM
We have UPN - Ivan.ivanov@test.ru, but with such settings on the ASA (username-from-certificate UPN) the ISE shows an error: 24325 Resolving Identity - <Unknown>.
Issuing new certificates is quite problematic, since there are many existing users
If we use SAN, what attribute to specify in the command: username-from-certificate <?>
ā02-05-2024 04:10 PM
Do you have multiple domains or forest trust to other domains on this AD join point? If so, did you the correct domain for authentication ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide