Hello,

Thank you for the feedback and to see that the bug is finally readable.

Do you have any idea about when a fix could be expected ?

Hello,

There is still no feedback about this issue (even if followed by a public bug) :

- no resolution time estimation.

- nothing from Cisco about the eventual possibilities (in order to anticipate).

To workaround is there a way to block the ISE to read/retrieve some attribute in the Active Directory (like the UPN for example) ?

Thank you in advance for your help

Suggest you escalate through the TAC this if its breaking your network as a defect

We already have a case open since 24th of November, but we never got the kind of information howon just shared.

Its in the defect workaround, also if you’re not getting anywhere you should escalate

Workaround:

In AD, clear the upn attribute value for the user when you create and initiate portal authentication from chromebook. However, this only works if the upn attribute is cleared prior to initial ISE login.

Another potential workaround is to downgrade to ISE 2.1 patch 4+ or upgrade to ISE 2.3. Both versions have related fix which honors whatever user enters in the username field as CN. IOW, if the username entered in the web portal was shortname, ISE will generate certificate with CN=shortname and if user entered UPN format, then the certificate will be generated as CN=UPN.

Thank you Jason,

The escalation is in progess but we never received the information you shared.

I will try tomorrow to upgrade to 2.3 my sandbox,

Thanks again for your time.

If 2.3 is acting as you describ, it is wonderful.

I will tried to upgrade my sandbox to 2.3 tomorrow in order to evaluate the impacts on our configuration.

Thank you for the information, I keep you posted