cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

107
Views
0
Helpful
3
Replies
Beginner

Cisco ISE (user certificate ambiguity error)

Hi All,

Receiving an authentication error in ISE (2.x) relating to user certificate ambiguity.

Setup - AD Join connector configured for user and machine in several domains.

Clients - Win 10 - EAP-TLS for machine and user network access.

Issue:

Single domain user account in DomainA or DomainB works fine, but when trying to auth a client with identical user accounts in DomainA&DomainB authentication is rejected due to multiple matching records "resolve certificate identity ambiguity using certificates match".

Question - How to accommodate a user in multiple domains for authentication? 

Cheers,

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Cisco ISE (user certificate ambiguity error)

In addition to @Cristian Matei's comments, another way to resolve ambiguity issues when your have a user that exists in multiple domains would be to ensure you are using an identity value in your Certificate Authentication Profile that includes the domain name.

Typically, the CN would include just the computer or user name but options like UPN or Email would include the domain.

You would need to ensure, however, that the separate certificate templates in ADCS used to enrol both Computers and Users includes the value specified in the Cert Auth Profile.

View solution in original post

3 REPLIES 3
Highlighted
Rising star

Re: Cisco ISE (user certificate ambiguity error)

Hi,

 

     1. The simplest solution would be to create some conditions in your authentication policy, thus based on the attributes of the incoming RADIUS request, you know to which domain the user belongs to, and configure ISE to look for a specific join point.

     2. Have you set the "Match Client Certificate against Certificate in Identity Store" to "Only to resolve Identity Ambiguity" or to "Always perform binary comparison"?

 

Also, take a look at this bug and upgrade to a proper version and patch level of ISE.

 

Regards,

Cristian Matei.

   

Highlighted
Cisco Employee

Re: Cisco ISE (user certificate ambiguity error)

In addition to @Cristian Matei's comments, another way to resolve ambiguity issues when your have a user that exists in multiple domains would be to ensure you are using an identity value in your Certificate Authentication Profile that includes the domain name.

Typically, the CN would include just the computer or user name but options like UPN or Email would include the domain.

You would need to ensure, however, that the separate certificate templates in ADCS used to enrol both Computers and Users includes the value specified in the Cert Auth Profile.

View solution in original post

Highlighted
Beginner

Re: Cisco ISE (user certificate ambiguity error)

Hi Greg,
Is the below necessary?
Use Explicit UPN
To reduce ambiguity when matching user information against Active Directory's User-Principal-Name (UPN) attributes, you must configure Active Directory to use Explicit UPN. Using Implicit UPN can produce ambiguous results if two users have the same value for sAMAccountName.

To set Explicit UPN in Active Directory, open the Advanced Tuning page, and set the attribute REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\UseExplicitUPN to 1.