cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1828
Views
0
Helpful
8
Replies

ISE 1.1 EAP-TLS User Authentication in Multiforest

alex.dersch
Enthusiast
Enthusiast

Hello,

we are currently evaluating the ISE 1.1 in a multiforest environment and we have problems to authenticate users which based in other domains (domain2) then the ISE (domain) is based.

This is the setup:

In domain1 is a MSFT CA with OCSP, DC and ISE

In domain2 is a DC and the users

there is a two way trust between the domains.

This is my authentication scenario:

1. agent connect to a wireless network (ok)

2. client exchanges certificate information with ISE (ok)

3. ISE exchanges certificate status with CA (ok)

4. ISE extracts the subject Alternative Name from the certificate dersa@domain2.ch (ok)

5. ISE queries Active Directory store for the user  dersa@domain2.ch (not ok fails with  22056 Subject not found)

in the log i can see the other forest (domain2) is not even queried to retrieve user data only domain1.

I could query the other domain during AD setup and was able to add groups from the other domain bet i could retrieve attributes of the user in domain2.

Any Ideas?

Regards

Alex

Extract from Log File

DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 executing request 'CAPIGetObjectByName' in thread 2951601040

DIAG  <fd:34 CAPIGetObjectByName > daemon.ipcclient2 doCAPIGetObjectByName: category=Person

name=dersa@domain2.ch

options=2

DEBUG <fd:34 CAPIGetObjectByName > dns.findsrv FindSrvFromDns(0): _kerberos._tcp.domain2.ch

DEBUG <fd:34 CAPIGetObjectByName > base.adagent.domaininfo rejecting domain domain2.ch.  Blocked, not in DNS or our domain list

DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject ADNames:

dersa@domain2.ch#012name

:

dersa@domain2.ch

type=SAM domain=domain1.LAN#012

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(

sAMAccountName=dersa@domain2.ch

)), attrs 7e638646 (cacheOps=40f, GC=0)

DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 60, cutoff time 0, refresh 15, negative=true, cacheOps 40f

DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper.ad Cache expired 96fe94aa2a7249bca2f59766075e7859, CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN

DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.10:389 search base="DC=domain1,DC=lan" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(

sAMAccountName=dersa@domain2.ch

))"

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects

DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=96fe94aa2a7249bca2f59766075e7859>;CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN : update indexes No

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(

sAMAccountName=dersa@domain2.ch

)), attrs e4a3aa15 (cacheOps=40f, GC=1)

DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 40f

DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.9:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(

sAMAccountName=dersa@domain2.ch

))"

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects

DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=7c68c59bc09f4775a14d6a7f521e491c>;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes No

DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject: NotFound:dersa@domain2.ch Category:user

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache making negative response for Person userPrincipalName="

dersa@domain2.ch

" (GC=0)

DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=972f489502d74f49afdef7f38206e909>;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=domain1,DC=LAN : update indexes Yes

DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper

'dersa@domain2.ch'

is not a canonical name

DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 request 'CAPIGetObjectByName' complete DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 executing request 'CAPIGetObjectByName' in thread 2951601040
DIAG  <fd:34 CAPIGetObjectByName > daemon.ipcclient2 doCAPIGetObjectByName: category=Person name=dersa@domain2.ch options=2
DEBUG <fd:34 CAPIGetObjectByName > dns.findsrv FindSrvFromDns(0): _kerberos._tcp.domain2.ch
DEBUG <fd:34 CAPIGetObjectByName > base.adagent.domaininfo rejecting domain domain2.ch.  Blocked, not in DNS or our domain list
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject ADNames: dersa@domain2.ch#012name: dersa@domain2.ch type=SAM domain=domain1.LAN#012
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch)), attrs 7e638646 (cacheOps=40f, GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 60, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper.ad Cache expired 96fe94aa2a7249bca2f59766075e7859, CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN
DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.10:389 search base="DC=domain1,DC=lan" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch))"
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=96fe94aa2a7249bca2f59766075e7859>;CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch)), attrs e4a3aa15 (cacheOps=40f, GC=1)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.9:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch))"
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=7c68c59bc09f4775a14d6a7f521e491c>;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject: NotFound:dersa@domain2.ch Category:user
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache making negative response for Person userPrincipalName="dersa@domain2.ch" (GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=972f489502d74f49afdef7f38206e909>;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=domain1,DC=LAN : update indexes Yes
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper 'dersa@domain2.ch' is not a canonical name
DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 request 'CAPIGetObjectByName' complete

8 Replies 8

alex.dersch
Enthusiast
Enthusiast

I was now able to query user attributes from domain2, i had to provide the username in this format domain2\username. I believe this is the problem i am sending the username in the wrong format. If i would be able to modify the format from username@domain.ch to domain\username everything would be fine.

regards

alex