Cisco ISE Wlan user authentication fails for users with umlaut

Andreas Hoffmann · ‎01-03-2013

We have setup a Cisco Identity Services Engine to manage WLAN access for our users. Access should be granted to users from a specific Windows Active Directory group. This works fine for users having a username consisting only of ASCII letters. However, user names having e.g. an umlaut fail. The live authentication log shows an error "22056 Subject not found in the applicable identity store(s)".

Any idea what could be wrong? (And, no, renaming all non-ASCII users is not an option)

P.S.:

Remarkably, the AD group name happens to also have an umlaut, so there is no general problem with them.

Andreas Hoffmann · ‎08-07-2013

The solution I finally was content with is as follows: It turns out that the Windows AD login does not really differentiate between umlauts and their dotless counterparts. That is, it has always been possible for a user named "Müller" to login e.g. to a Windows workstation using "Muller" (or a suer named "Hoffmann" could as well have used "Höffmänn" as login name). Consequently, using the umlaut-less alternative for WLAN-authentication works out of the box. So we can keep the correct spelling in AD and users can most of th etime use their correct spelling to login - only when logging in to the company WLAN they need to drop the dieresis. This is somewhat unusual because user might expect that umlauts would be replaced per ä->ae, ö-oe, ü->ue instead of just ä->a, ö->o, ü->u. But at least it allows us to keep the correctly spelled names in the directory and no special modification to allow user login (except teaching the users)