Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1498
Views
0
Helpful
4
Replies

EAP-TLS CN matching via Internal identity group

Go to solution
ktoyoshi
Cisco Employee
Cisco Employee

‎09-17-2018 07:52 PM

Hi,

 

Customer requirement is EAP-TLS authentication with CN matching via ISE internal user DB.

I have tested that ISE 1.x works with below authorization condition.

InternalUser:IdentityGroup EQUALS User Identity Groups:XYZ

 

Is this condition still same with ISE 2.4? In customer's lab, it does't work so far.

 

Best Regards,

Kaori

Preview file
77 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-19-2018 01:07 PM

Please engage Cisco TAC and open a case on this to troubleshoot further.

ISE 2.3+ may use either InternalUser.IdentityGroup EQUALS User Identity Groups:<Group-Name>

or, IdentityGroup.Name EQUALS User Identity Groups:<Group-Name>

with the right-hand-side (RHS) selected from the drop-down items.

I tested an AD user and able to match either authorization rules.

...

  24402 User authentication against Active Directory succeeded - myAD
  22037 Authentication Passed
  24715 ISE has not confirmed locally previous successful machine authentication for user in Active Directory
  15036 Evaluating Authorization Policy
  15048 Queried PIP - Network Access.NetworkDeviceName
  15048 Queried PIP - EndPoints.assetTag
  15048 Queried PIP - Network Access.UserName
  15048 Queried PIP - InternalUser.IdentityGroup
  15005 Matched monitored rule - InternaUser
  15048 Queried PIP - IdentityGroup.Name
  15016 Selected Authorization Profile - PermitALL

...

View solution in original post

0 Helpful
4 Replies 4

Go to solution
paul
Level 10
Level 10

‎09-18-2018 07:21 AM

If you pull up the details of the live log record do you see ISE correctly extracting the username from the CN field in the certificate?  What do the details say about the identity group lookup (if anything)?

0 Helpful

Go to solution
ktoyoshi
Cisco Employee
Cisco Employee
In response to paul

‎09-19-2018 05:57 AM

Thank you Paul.

Yes username is retrieved from CN as expected, but I can't see identity group lookup information from the details log. 

Preview file
1130 KB
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-19-2018 01:07 PM

Please engage Cisco TAC and open a case on this to troubleshoot further.

ISE 2.3+ may use either InternalUser.IdentityGroup EQUALS User Identity Groups:<Group-Name>

or, IdentityGroup.Name EQUALS User Identity Groups:<Group-Name>

with the right-hand-side (RHS) selected from the drop-down items.

I tested an AD user and able to match either authorization rules.

...

  24402 User authentication against Active Directory succeeded - myAD
  22037 Authentication Passed
  24715 ISE has not confirmed locally previous successful machine authentication for user in Active Directory
  15036 Evaluating Authorization Policy
  15048 Queried PIP - Network Access.NetworkDeviceName
  15048 Queried PIP - EndPoints.assetTag
  15048 Queried PIP - Network Access.UserName
  15048 Queried PIP - InternalUser.IdentityGroup
  15005 Matched monitored rule - InternaUser
  15048 Queried PIP - IdentityGroup.Name
  15016 Selected Authorization Profile - PermitALL

...

0 Helpful

Go to solution
ktoyoshi
Cisco Employee
Cisco Employee
In response to hslai

‎09-27-2018 05:53 PM

Thank you Hsing-Tsu.

From attached customer log, Identity Group is categorized as "Profiled" only and no information about user groups. 

Can I check more details with any debug logs?

As this customer is under evaluation, I'd like to investigate as far as possible before raise internal TAC case.

0 Helpful
Customers Also Viewed These Support Documents