cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

7554
Views
5
Helpful
7
Replies
stealthmode
Cisco Employee

ISE authenticating AD users with only domain name included

Hi,

 

I am performing a migration from ACS to ISE. Both these devices use a Win 2012 Server as External Identity sources. The connection to the AD is made via LDAP. Here is a sample of what is happening on all the network devices:

 

N7K# test aaa group ACS test@xyz.com C!sc0@123

user has failed authentication

N7K# test aaa group ACS test C!sc0@123

user has been authenticated

N7K# test aaa group ISE test C!sc0@123

user has failed authentication

N7K# test aaa group ISE test@xyz.com C!sc0@123

user has been authenticated

 

The ACS results in a successful authentication only when [username] is given and fails when [username]@[domain] is entered.

The ISE results in a successful authentication only when [username]@[domain] is given and fails when just the [username] is entered.

 

Why is there a difference when both are using the same AD to authenticate against? Also, for information, the exact username in the AD is [username]@[domain] and the [domain] cannot be stripped. How do I make ISE ignore the “@[domain]” section? I want the ISE to consider only the [username]. Is this some setting that needs to be done on the AD or on the ISE? Please let me know.

 

Thanks for your help

1 ACCEPTED SOLUTION

Accepted Solutions
Tobias Svensson
Beginner

You can define attributes that you reference under External Identity Sources->Your AD->Attributes.

 

You could change to SamAccountName here for instance, which is your username only instead of UserPrincipalName which is username@domain.

View solution in original post

7 REPLIES 7
Seb Rupik
VIP Advisor

Hi there,

What you require can be achieved with the Identity Re-Write settings in ISE.

 

Assuming you have an authentication policy which defines which Identity Store to use:

 

IF DEVICE is N7K THEN USE AD(xyz.com)

 

...this will rule will accept both [username] and [username]@[domain]. You then need to configure the Identity Re-Write:

 

Administration -> Identity Management -> Extenal Identity Sources -> Active Directory -> 'xyz.com'

Then under the 'Advanced' tab, scroll to the bottom for the 'Identity Re-Write' section.

Here you can define how usernames are handled. ISE by default will accept [username]@[domain], but if you want just [username] to be accepted add a rule like this:

 

If Identity Matches: [IDENTITY]  re-write as : [IDENTITY]@xyz.com

 

...this will append the domain name and then pass the request onto AD.

 

cheers,

Seb.

This is a useful bit of info, but, like mentioned, I am using LDAP to connect to the AD. These Identity rewrite operations are not present under the LDAP section. 

Can you help me here?

Got the answer. But, really thanks for this useful bit of info. :-) 

Hello abhsha,

 

How did you solve this? I am connecting the AD via LDAP as well.

HI,

 

how did you solve this? im having the same issue

If its the LDAP connector youre using you can specify 'cn' as 'Subject Name Attribute' instead under the General tab.

Tobias Svensson
Beginner

You can define attributes that you reference under External Identity Sources->Your AD->Attributes.

 

You could change to SamAccountName here for instance, which is your username only instead of UserPrincipalName which is username@domain.

View solution in original post

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel