cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1763
Views
0
Helpful
8
Replies
alex.dersch
Enthusiast

ISE 1.1 EAP-TLS User Authentication in Multiforest

Hello,

we are currently evaluating the ISE 1.1 in a multiforest environment and we have problems to authenticate users which based in other domains (domain2) then the ISE (domain) is based.

This is the setup:

In domain1 is a MSFT CA with OCSP, DC and ISE

In domain2 is a DC and the users

there is a two way trust between the domains.

This is my authentication scenario:

1. agent connect to a wireless network (ok)

2. client exchanges certificate information with ISE (ok)

3. ISE exchanges certificate status with CA (ok)

4. ISE extracts the subject Alternative Name from the certificate dersa@domain2.ch (ok)

5. ISE queries Active Directory store for the user  dersa@domain2.ch (not ok fails with  22056 Subject not found)

in the log i can see the other forest (domain2) is not even queried to retrieve user data only domain1.

I could query the other domain during AD setup and was able to add groups from the other domain bet i could retrieve attributes of the user in domain2.

Any Ideas?

Regards

Alex

Extract from Log File

DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 executing request 'CAPIGetObjectByName' in thread 2951601040

DIAG  <fd:34 CAPIGetObjectByName > daemon.ipcclient2 doCAPIGetObjectByName: category=Person

name=dersa@domain2.ch

options=2

DEBUG <fd:34 CAPIGetObjectByName > dns.findsrv FindSrvFromDns(0): _kerberos._tcp.domain2.ch

DEBUG <fd:34 CAPIGetObjectByName > base.adagent.domaininfo rejecting domain domain2.ch.  Blocked, not in DNS or our domain list

DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject ADNames:

dersa@domain2.ch#012name

:

dersa@domain2.ch

type=SAM domain=domain1.LAN#012

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(

sAMAccountName=dersa@domain2.ch

)), attrs 7e638646 (cacheOps=40f, GC=0)

DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 60, cutoff time 0, refresh 15, negative=true, cacheOps 40f

DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper.ad Cache expired 96fe94aa2a7249bca2f59766075e7859, CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN

DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.10:389 search base="DC=domain1,DC=lan" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(

sAMAccountName=dersa@domain2.ch

))"

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects

DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=96fe94aa2a7249bca2f59766075e7859>;CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN : update indexes No

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(

sAMAccountName=dersa@domain2.ch

)), attrs e4a3aa15 (cacheOps=40f, GC=1)

DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 40f

DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.9:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(

sAMAccountName=dersa@domain2.ch

))"

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects

DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=7c68c59bc09f4775a14d6a7f521e491c>;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes No

DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject: NotFound:dersa@domain2.ch Category:user

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache making negative response for Person userPrincipalName="

dersa@domain2.ch

" (GC=0)

DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=972f489502d74f49afdef7f38206e909>;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=domain1,DC=LAN : update indexes Yes

DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper

'dersa@domain2.ch'

is not a canonical name

DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 request 'CAPIGetObjectByName' complete DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 executing request 'CAPIGetObjectByName' in thread 2951601040
DIAG  <fd:34 CAPIGetObjectByName > daemon.ipcclient2 doCAPIGetObjectByName: category=Person name=dersa@domain2.ch options=2
DEBUG <fd:34 CAPIGetObjectByName > dns.findsrv FindSrvFromDns(0): _kerberos._tcp.domain2.ch
DEBUG <fd:34 CAPIGetObjectByName > base.adagent.domaininfo rejecting domain domain2.ch.  Blocked, not in DNS or our domain list
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject ADNames: dersa@domain2.ch#012name: dersa@domain2.ch type=SAM domain=domain1.LAN#012
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch)), attrs 7e638646 (cacheOps=40f, GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 60, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper.ad Cache expired 96fe94aa2a7249bca2f59766075e7859, CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN
DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.10:389 search base="DC=domain1,DC=lan" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch))"
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=96fe94aa2a7249bca2f59766075e7859>;CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch)), attrs e4a3aa15 (cacheOps=40f, GC=1)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.9:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch))"
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=7c68c59bc09f4775a14d6a7f521e491c>;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject: NotFound:dersa@domain2.ch Category:user
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache making negative response for Person userPrincipalName="dersa@domain2.ch" (GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=972f489502d74f49afdef7f38206e909>;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=domain1,DC=LAN : update indexes Yes
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper 'dersa@domain2.ch' is not a canonical name
DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 request 'CAPIGetObjectByName' complete

8 REPLIES 8
alex.dersch
Enthusiast

I was now able to query user attributes from domain2, i had to provide the username in this format domain2\username. I believe this is the problem i am sending the username in the wrong format. If i would be able to modify the format from username@domain.ch to domain\username everything would be fine.

regards

alex

Alex,

We need to see if the dns server is able to resolve the domain2, if you issue a nslookup for domain2 what do you show, do you receive any responses? I would start there and see what that turns up. Also what type of trust do you have enabled between domain1 and domain2, ISE uses kerberos to authenticate these users so we need to see if you have an external trust configured between these domains then authentication will fail since kerberos is not allowed. Please use a forest trust which allows kerberos and that should fix your issue.

If you were using acs 4.2 at one point then it would have worked because that uses ntlm auth.

Here is an article for reference:

http://setspn.blogspot.com/2009/09/ad-external-trusts-and-kerberos.html

Thanks,

Tarik Admani

Hello Tarik,

the trust type is forest Trust. As i mentioned, i was able to retrieve user attributes when i do it in the active directory configuration procedure. What matters at the moment is the format of the username. I have to send it as domai\username. But i can't achieve this with Binary Certificate Comparisation.

regards

alex

Alex,

It looks like ISE is unable to contact the GC for domain2, are you able to resolve domain2? In the case you are able to resolve the name using netbios, now when you upn (xxx@xxx.xx) that requires dns to be operational since it looks up the dns domain and then sends the user request to the domain GC, my assumption is when you netbios it sends the request to domain1's GC and then it is able to authenticate the user through the trust. I am not an AD expert but I am assuming that is why one is working over the other.

When issue a dns query on the ISE cli for domain2 do you receive any GC's in the response?

Thanks

tarik admani

Tarik,

from the ISE cli i can nslookup domain2.lan and i get this result

nos-ch-wbn-ise1/admin# nslookup domain2.lan

Trying "domain2.lan"

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57373

;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 5

;; QUESTION SECTION:

;domain2.lan.              IN      ANY

;; ANSWER SECTION:

domain2.lan.       600     IN      A       192.168.68.21

domain2.lan.       600     IN      A       172.28.1.3

domain2.lan.       600     IN      A       172.28.1.2

domain2.lan.       600     IN      A       192.168.68.20

domain2.lan.       3600    IN      NS      labdc01.lab.lan.

domain2.lan.       3600    IN      NS      labdc02.lab.lan.

domain2.lan.       3600    IN      NS      labex01.lab.lan.

domain2.lan.       3600    IN      NS      bsdehepdc01.domain2.lan.

domain2.lan.       3600    IN      NS      bsdehepfs01.domain2.lan.

domain2.lan.       3600    IN      NS      mordor.softlink.ch.

domain2.lan.       3600    IN      NS      shire.softlink.ch.

domain2.lan.       3600    IN      NS      labex02.lab.lan.

domain2.lan.       3600    IN      NS      icm60.icm60domain.lan.

domain2.lan.       3600    IN      NS      bsfs02.domain2.lan.

domain2.lan.       3600    IN      NS      bsfs03.domain2.lan.

domain2.lan.       3600    IN      SOA     bsfs02.domain2.lan. admin.domain2.lan. 217091 900 600 86400 3600

;; ADDITIONAL SECTION:

labdc01.lab.lan.        3600    IN      A       172.28.2.196

bsdehepdc01.domain2.lan. 311 IN    A       192.168.68.20

bsdehepfs01.domain2.lan. 2771 IN   A       192.168.68.21

bsfs02.domain2.lan. 1649   IN      A       172.28.1.2

bsfs03.domain2.lan. 595    IN      A       172.28.1.3

So i assume dns is working fine.

Do i have to see the GC of the trusted domain as well in the ISE Active Directory Configuration ?

thanks & regards

Alex

The best thing at this point is to open a SR with TAC since the nslookup commands wont allow you to look for GCs through the cli.

if you are looking for a quick solution what you can do is configure the second domain as an ldap instance since you are using eap-tls. Then you can create and identity store sequence that will check AD then LDAP.

I did notice the following replies:

domain2.lan.       3600    IN      NS      mordor.softlink.ch.

domain2.lan.       3600    IN      NS      shire.softlink.ch.

I dont know why these servers are being sent in the response.

Thanks,

Tarik Admani

Hello Tarik,

those are external servers from our provider, i have to verify with them why this is like it is. At the moment i have multiple ldap in the production environment with my ACS.

I don't if i can open tac cases with eval versions.

i'll try

regards

Alex

Alex,

We're you able to get the DNS info cleaned up.

Thanks

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (35%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel