Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1944
Views
5
Helpful
4
Replies

ISE and Anyconnect NAM not getting the full username

Go to solution
ghermocilla
Level 1
Level 1

‎10-23-2019 11:50 PM

Hi,

 

I'm using anyconnect NAM as a supplicant in my windows 10 (ver 1903) using wired authentication.

I'm using ISE 2.4 with patch 10 installed with EAP-FAST for the protocol.

I already configured the proper settings for the NAM using the profile editor.

Whenever I authenticate using the nam, I use username@domain.com as my username.

When I view the radius live logs in ISE I get identity not found in identity store and I noticed that under the identity the username only appears without the domain.

I'm using and LDAP server as an external identity in ISE.

 

Is there someone having the same issues? is there something wrong in the config? or some bug maybe with anyconnect? not sending the actual username.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to ghermocilla

‎10-24-2019 09:14 PM

you will need to contact the TAC and attach to defect, I will get my coworker to take a look as well. I don't believe there is workaround

View solution in original post

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-25-2019 09:41 AM - edited ‎10-25-2019 09:43 AM

AFAIK the usernames come from the 802.1X supplicant but not what set by ISE. Thus, please double-check how the username format is set in Configure User Credentials of AnyConnect NAM profile.

If your LDAP has an attribute matching the username format without "@domain.com", then you may pick that as the subject name attribute instead.

Screen Shot 2019-10-25 at 9.38.57 AM.png

If it still an issue, please generate an AnyConnect DART bundle and engage Cisco TAC support.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ghermocilla
Level 1
Level 1
In response to Jason Kunst

‎10-24-2019 06:41 PM

Hi Jason,
I also tried using PEAP(EAP-GTC) and the same result.
For example, I input john.doe@domain.com, when you go to radius live logs it only shows john.doe without the @domain.com
i need the whole username to authenticate.
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to ghermocilla

‎10-24-2019 09:14 PM

you will need to contact the TAC and attach to defect, I will get my coworker to take a look as well. I don't believe there is workaround
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-25-2019 09:41 AM - edited ‎10-25-2019 09:43 AM

AFAIK the usernames come from the 802.1X supplicant but not what set by ISE. Thus, please double-check how the username format is set in Configure User Credentials of AnyConnect NAM profile.

If your LDAP has an attribute matching the username format without "@domain.com", then you may pick that as the subject name attribute instead.

Screen Shot 2019-10-25 at 9.38.57 AM.png

If it still an issue, please generate an AnyConnect DART bundle and engage Cisco TAC support.

0 Helpful
Customers Also Viewed These Support Documents