cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1502
Views
0
Helpful
4
Replies

EAP-TLS CN matching via Internal identity group

ktoyoshi
Cisco Employee
Cisco Employee

Hi,

 

Customer requirement is EAP-TLS authentication with CN matching via ISE internal user DB.

I have tested that ISE 1.x works with below authorization condition.

InternalUser:IdentityGroup EQUALS User Identity Groups:XYZ

 

Is this condition still same with ISE 2.4? In customer's lab, it does't work so far.

 

Best Regards,

Kaori

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Please engage Cisco TAC and open a case on this to troubleshoot further.

ISE 2.3+ may use either InternalUser.IdentityGroup EQUALS User Identity Groups:<Group-Name>

or, IdentityGroup.Name EQUALS User Identity Groups:<Group-Name>

with the right-hand-side (RHS) selected from the drop-down items.

I tested an AD user and able to match either authorization rules.

...

  24402 User authentication against Active Directory succeeded - myAD
  22037 Authentication Passed
  24715 ISE has not confirmed locally previous successful machine authentication for user in Active Directory
  15036 Evaluating Authorization Policy
  15048 Queried PIP - Network Access.NetworkDeviceName
  15048 Queried PIP - EndPoints.assetTag
  15048 Queried PIP - Network Access.UserName
  15048 Queried PIP - InternalUser.IdentityGroup
  15005 Matched monitored rule - InternaUser
  15048 Queried PIP - IdentityGroup.Name
  15016 Selected Authorization Profile - PermitALL

...

View solution in original post

4 Replies 4

paul
Level 10
Level 10

If you pull up the details of the live log record do you see ISE correctly extracting the username from the CN field in the certificate?  What do the details say about the identity group lookup (if anything)?

ktoyoshi
Cisco Employee
Cisco Employee

Thank you Paul.

Yes username is retrieved from CN as expected, but I can't see identity group lookup information from the details log. 

hslai
Cisco Employee
Cisco Employee

Please engage Cisco TAC and open a case on this to troubleshoot further.

ISE 2.3+ may use either InternalUser.IdentityGroup EQUALS User Identity Groups:<Group-Name>

or, IdentityGroup.Name EQUALS User Identity Groups:<Group-Name>

with the right-hand-side (RHS) selected from the drop-down items.

I tested an AD user and able to match either authorization rules.

...

  24402 User authentication against Active Directory succeeded - myAD
  22037 Authentication Passed
  24715 ISE has not confirmed locally previous successful machine authentication for user in Active Directory
  15036 Evaluating Authorization Policy
  15048 Queried PIP - Network Access.NetworkDeviceName
  15048 Queried PIP - EndPoints.assetTag
  15048 Queried PIP - Network Access.UserName
  15048 Queried PIP - InternalUser.IdentityGroup
  15005 Matched monitored rule - InternaUser
  15048 Queried PIP - IdentityGroup.Name
  15016 Selected Authorization Profile - PermitALL

...

Thank you Hsing-Tsu.

From attached customer log, Identity Group is categorized as "Profiled" only and no information about user groups. 

Can I check more details with any debug logs?

As this customer is under evaluation, I'd like to investigate as far as possible before raise internal TAC case.