Solved: ISE 2.3 Integration with AD - apostrphies in usernames

gregmoyse3 · ‎09-17-2018

Hi,

I have an ISE 2.3 (patch 4) deployment that is linked to our AD environment. Our AD username policy allows apostrophies (e.g. domain\dave.o'smith).

I have a staff WiFi area that uses the AD for authentication of users. Does ISE allow apostrophies, or should the user names be plain (i.e. domian\dave.osmith).

At the moment, I have the 22056 - subject not found in applicible identity stores.

Where in ISE 2.3 can I find a detailed log of which identity stores ISE has tried?

Thanks

Jason Kunst · ‎09-17-2018

I don't see anything saying it should be a problem but will reach out to an expert on this matter. Please check out https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212594-debugs-to-troubleshoot-on-ise.html#anc25

View solution in original post

howon · ‎09-17-2018

That username should work, so expect it to be some other issue. On the live log, click on the details for the authentication event and it should tell you which identity store ISE tried. It should be listed in the Steps on the right hand side. See example below:

15041	Evaluating Identity Policy
22072	Selected identity source sequence - All_User_ID_Stores
15013	Selected Identity Source - Internal Users
24210	Looking up User in Internal Users IDStore - EXAMPLE\admin
24216	The user is not found in the internal users identity store
15013	Selected Identity Source - All_AD_Join_Points
24430	Authenticating user against Active Directory - All_AD_Join_Points
24325	Resolving identity - EXAMPLE\admin
24313	Search for matching accounts at join point - example.com
24315	Single matching account found in domain - example.com
24323	Identity resolution detected single matching account
24343	RPC Logon request succeeded - admin@example.com
24402	User authentication against Active Directory succeeded - All_AD_Join_Points
22037	Authentication Passed

View solution in original post

Jason Kunst · ‎09-17-2018

I don't see anything saying it should be a problem but will reach out to an expert on this matter. Please check out https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212594-debugs-to-troubleshoot-on-ise.html#anc25

gregmoyse3 · ‎09-20-2018

After a bit of troubleshooting, I found that this was affecting Apple devices. Windows and Android were okay.

A quick Google showed me an atricle where it appears that since IOS 11, a feature called 'Smart Punctuation' is replacing the vertical apostrophe (hex27) with a slanted one (unicode 2018, 2019), depending on where in the sentance the apostrophe is placed.

See https://forums.developer.apple.com/thread/89706

howon · ‎09-17-2018

That username should work, so expect it to be some other issue. On the live log, click on the details for the authentication event and it should tell you which identity store ISE tried. It should be listed in the Steps on the right hand side. See example below:

15041	Evaluating Identity Policy
22072	Selected identity source sequence - All_User_ID_Stores
15013	Selected Identity Source - Internal Users
24210	Looking up User in Internal Users IDStore - EXAMPLE\admin
24216	The user is not found in the internal users identity store
15013	Selected Identity Source - All_AD_Join_Points
24430	Authenticating user against Active Directory - All_AD_Join_Points
24325	Resolving identity - EXAMPLE\admin
24313	Search for matching accounts at join point - example.com
24315	Single matching account found in domain - example.com
24323	Identity resolution detected single matching account
24343	RPC Logon request succeeded - admin@example.com
24402	User authentication against Active Directory succeeded - All_AD_Join_Points
22037	Authentication Passed