cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2717
Views
0
Helpful
4
Replies

Cisco ISE (user certificate ambiguity error)

Jay233
Level 1
Level 1

Hi All,

Receiving an authentication error in ISE (2.x) relating to user certificate ambiguity.

Setup - AD Join connector configured for user and machine in several domains.

Clients - Win 10 - EAP-TLS for machine and user network access.

Issue:

Single domain user account in DomainA or DomainB works fine, but when trying to auth a client with identical user accounts in DomainA&DomainB authentication is rejected due to multiple matching records "resolve certificate identity ambiguity using certificates match".

Question - How to accommodate a user in multiple domains for authentication? 

Cheers,

 

1 Accepted Solution

Accepted Solutions

In addition to @Cristian Matei's comments, another way to resolve ambiguity issues when your have a user that exists in multiple domains would be to ensure you are using an identity value in your Certificate Authentication Profile that includes the domain name.

Typically, the CN would include just the computer or user name but options like UPN or Email would include the domain.

You would need to ensure, however, that the separate certificate templates in ADCS used to enrol both Computers and Users includes the value specified in the Cert Auth Profile.

View solution in original post

4 Replies 4

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

     1. The simplest solution would be to create some conditions in your authentication policy, thus based on the attributes of the incoming RADIUS request, you know to which domain the user belongs to, and configure ISE to look for a specific join point.

     2. Have you set the "Match Client Certificate against Certificate in Identity Store" to "Only to resolve Identity Ambiguity" or to "Always perform binary comparison"?

 

Also, take a look at this bug and upgrade to a proper version and patch level of ISE.

 

Regards,

Cristian Matei.

   

In addition to @Cristian Matei's comments, another way to resolve ambiguity issues when your have a user that exists in multiple domains would be to ensure you are using an identity value in your Certificate Authentication Profile that includes the domain name.

Typically, the CN would include just the computer or user name but options like UPN or Email would include the domain.

You would need to ensure, however, that the separate certificate templates in ADCS used to enrol both Computers and Users includes the value specified in the Cert Auth Profile.

Hi Greg,
Is the below necessary?
Use Explicit UPN
To reduce ambiguity when matching user information against Active Directory's User-Principal-Name (UPN) attributes, you must configure Active Directory to use Explicit UPN. Using Implicit UPN can produce ambiguous results if two users have the same value for sAMAccountName.

To set Explicit UPN in Active Directory, open the Advanced Tuning page, and set the attribute REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\UseExplicitUPN to 1.

I'm no AD expert but, as I understand it, the advanced tuning for the Explicit UPN would be more for solving ambiguity issues within a single domain. I don't believe this would be required with your use case for multiple domains.

See the following link for more information about iUPN versus eUPN:

User Principle Names in AD

 

AFAIK, however, the UPN is not automatically generated for a computer account by default. If you intend to use the UPN value in the certificate for both Computers and Users, you will likely need to make sure the UPN attribute is set for the computer account during or after the domain join and before the certificate is enrolled so the value is populated in the certificate SAN.

Example:

Screen Shot 2020-03-30 at 9.52.24 am.pngScreen Shot 2020-03-30 at 9.53.40 am.png

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: