cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
705
Views
0
Helpful
0
Replies

Identity is changed during one RADIUS session

pnavratil
Level 1
Level 1

Customer provides campus network with full DOT1x deployment with ISE 2.2 servers and he found several occurrences of quite weird behavior.

In RADIUS live log (or report) we found log of successful end-user login, but the logged identity (username) not exist in any identity source.

When we checked the details we found it was authenticated against Active Directory but at the beginning the identity - lets say John - was used 2 times - 2 times login was denied but it continued in the same RADIUS session with different identity (different resolved identity) with the user identity (for example Lennon@campus.org) - this time the login was successful and the user has ben allowed to connect.

I can see the right login username in field "AD-User-Resolved-Identities" but this is the only place I can find the real identity used for authentication. The RADIUS username field stayd the same as it was setup at the beginning and the same username is logged to CIEM too (John in our example).

Customer has then problem with identifying such users when he search it in his CIEM database

 

Does anybody met such behavior - is there any way how to disable this?

It could be enough to separate it to different RADIUS sessions - first 2 denied with nonexistent user identity and 3rd try with proper username authenticated and logged with the real username used for authentication.

 

I checked rules in AD identity resolution - there is nothing set and I did not find any way how to use it in our case.

 

Thank you for any help

Regards

Pavel

0 Replies 0