Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
370
Views
0
Helpful
1
Replies

ISE - Account Lookup

ryanmbess
Level 1
Level 1

‎10-14-2025 05:10 PM

Hello,

We are in the beginning of an ad migration that uses ISE as it's NAC solution.  I'm labbing it up and i've hit an issue.

AD Environment:

lab.com is the forest root

sub.lab.com is the child domain

We are migrating computers in the sub.lab.com to the lab.com AD domain.  Currently all computers for better or worse use mschapv2 as the credential ISE is using the authenticate the endpoint.  So lets say i have a laptop called laptop1 in the sub.lab.com AD domain and when ISE receives the credential from the endpoint it's in the following format.  host/laptop1.sub.lab.com.  This all works fine.

When i disbind and rebind laptop1 to lab.com this all seems to work as the username received from the endpoint is then host/laptop1.lab.com. 

Overview

Event5200 Authentication succeeded
Usernamehost/Laptop1.lab.com
Endpoint Id00:24:9B:65:72:E4 
 
Endpoint ProfileUnknown
Authentication Policy802.1x >> 802.1x Password
Authorization Policy802.1x >> Workstation FallBack lab.com
Authorization ResultWorkstation Fallback

Here's where the problem comes in.  Our org has a requirement that we must preserve the existing DNS domain for our computers.  Thus the A records for all the computes must be in the sub.lab.com DNS domain.  Once i push down a GPO that tells the client computer to register its DNS name in the sub.lab.com DNS domain (via the GPO called Primary DNS Suffix) the next authentication from the endpoint has the username as host/laptop1.sub.lab.com which isn't found anymore.  

Authentication Details

Source Timestamp2025-10-14 23:32:15.167
Received Timestamp2025-10-14 23:32:15.167
Policy Serverise-02
Event5440 Endpoint abandoned EAP session and started new
Failure Reason22056 Subject not found in the applicable identity store(s)
ResolutionCheck whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped due to identity resolution settings or if they do not support the current authentication protocol.
Root causeSubject not found in the applicable identity store(s).
Usernamehost/laptop1.sub.lab.com

Given this how can i tell ISE to look for this endpoint?  Like what is ISE doing when it actually looks up objects?

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎10-16-2025 02:35 PM

Is it perhaps because Windows supplicant has the option to remember/cache the last used network authentication username - if the MSCHAP network authentication is configured into the supplicant, then perhaps the username needs to be modified as part of your migration GPO. I assume you're doing Machine auth? In that case, the Windows supplicant doesn't prompt for the username, and it must be a config somewhere that you might be able to change. How else does the supplicant know that it has moved to a different part of the AD?

ISE is just taking the username as provided by the supplicant - you need to tell the suppliant to provide the correct username

0 Helpful
Customers Also Viewed These Support Documents