cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

163
Views
0
Helpful
4
Replies
Highlighted
Beginner

Cisco ISE (user certificate ambiguity error)

Hi All,

Receiving an authentication error in ISE (2.x) relating to user certificate ambiguity.

Setup - AD Join connector configured for user and machine in several domains.

Clients - Win 10 - EAP-TLS for machine and user network access.

Issue:

Single domain user account in DomainA or DomainB works fine, but when trying to auth a client with identical user accounts in DomainA&DomainB authentication is rejected due to multiple matching records "resolve certificate identity ambiguity using certificates match".

Question - How to accommodate a user in multiple domains for authentication? 

Cheers,

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Cisco ISE (user certificate ambiguity error)

In addition to @Cristian Matei's comments, another way to resolve ambiguity issues when your have a user that exists in multiple domains would be to ensure you are using an identity value in your Certificate Authentication Profile that includes the domain name.

Typically, the CN would include just the computer or user name but options like UPN or Email would include the domain.

You would need to ensure, however, that the separate certificate templates in ADCS used to enrol both Computers and Users includes the value specified in the Cert Auth Profile.

View solution in original post

4 REPLIES 4
Highlighted
Collaborator

Re: Cisco ISE (user certificate ambiguity error)

Hi,

 

     1. The simplest solution would be to create some conditions in your authentication policy, thus based on the attributes of the incoming RADIUS request, you know to which domain the user belongs to, and configure ISE to look for a specific join point.

     2. Have you set the "Match Client Certificate against Certificate in Identity Store" to "Only to resolve Identity Ambiguity" or to "Always perform binary comparison"?

 

Also, take a look at this bug and upgrade to a proper version and patch level of ISE.

 

Regards,

Cristian Matei.

   

Highlighted
Cisco Employee

Re: Cisco ISE (user certificate ambiguity error)

In addition to @Cristian Matei's comments, another way to resolve ambiguity issues when your have a user that exists in multiple domains would be to ensure you are using an identity value in your Certificate Authentication Profile that includes the domain name.

Typically, the CN would include just the computer or user name but options like UPN or Email would include the domain.

You would need to ensure, however, that the separate certificate templates in ADCS used to enrol both Computers and Users includes the value specified in the Cert Auth Profile.

View solution in original post

Highlighted
Beginner

Re: Cisco ISE (user certificate ambiguity error)

Hi Greg,
Is the below necessary?
Use Explicit UPN
To reduce ambiguity when matching user information against Active Directory's User-Principal-Name (UPN) attributes, you must configure Active Directory to use Explicit UPN. Using Implicit UPN can produce ambiguous results if two users have the same value for sAMAccountName.

To set Explicit UPN in Active Directory, open the Advanced Tuning page, and set the attribute REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\UseExplicitUPN to 1.
Highlighted
Cisco Employee

Re: Cisco ISE (user certificate ambiguity error)

I'm no AD expert but, as I understand it, the advanced tuning for the Explicit UPN would be more for solving ambiguity issues within a single domain. I don't believe this would be required with your use case for multiple domains.

See the following link for more information about iUPN versus eUPN:

User Principle Names in AD

 

AFAIK, however, the UPN is not automatically generated for a computer account by default. If you intend to use the UPN value in the certificate for both Computers and Users, you will likely need to make sure the UPN attribute is set for the computer account during or after the domain join and before the certificate is enrolled so the value is populated in the certificate SAN.

Example:

Screen Shot 2020-03-30 at 9.52.24 am.pngScreen Shot 2020-03-30 at 9.53.40 am.png