Solved: Re: Got the answer. But, really

stealthmode · ‎09-07-2015

Hi,

I am performing a migration from ACS to ISE. Both these devices use a Win 2012 Server as External Identity sources. The connection to the AD is made via LDAP. Here is a sample of what is happening on all the network devices:

N7K# test aaa group ACS test@xyz.com C!sc0@123

user has failed authentication

N7K# test aaa group ACS test C!sc0@123

user has been authenticated

N7K# test aaa group ISE test C!sc0@123

user has failed authentication

N7K# test aaa group ISE test@xyz.com C!sc0@123

user has been authenticated

The ACS results in a successful authentication only when [username] is given and fails when [username]@[domain] is entered.

The ISE results in a successful authentication only when [username]@[domain] is given and fails when just the [username] is entered.

Why is there a difference when both are using the same AD to authenticate against? Also, for information, the exact username in the AD is [username]@[domain] and the [domain] cannot be stripped. How do I make ISE ignore the “@[domain]” section? I want the ISE to consider only the [username]. Is this some setting that needs to be done on the AD or on the ISE? Please let me know.

Thanks for your help

Tobias Svensson · ‎09-07-2015

You can define attributes that you reference under External Identity Sources->Your AD->Attributes.

You could change to SamAccountName here for instance, which is your username only instead of UserPrincipalName which is username@domain.

View solution in original post

Seb Rupik · ‎09-07-2015

Hi there,

What you require can be achieved with the Identity Re-Write settings in ISE.

Assuming you have an authentication policy which defines which Identity Store to use:

IF DEVICE is N7K THEN USE AD(xyz.com)

...this will rule will accept both [username] and [username]@[domain]. You then need to configure the Identity Re-Write:

Administration -> Identity Management -> Extenal Identity Sources -> Active Directory -> 'xyz.com'

Then under the 'Advanced' tab, scroll to the bottom for the 'Identity Re-Write' section.

Here you can define how usernames are handled. ISE by default will accept [username]@[domain], but if you want just [username] to be accepted add a rule like this:

If Identity Matches: [IDENTITY] re-write as : [IDENTITY]@xyz.com

...this will append the domain name and then pass the request onto AD.

cheers,

Seb.

stealthmode · ‎09-07-2015

This is a useful bit of info, but, like mentioned, I am using LDAP to connect to the AD. These Identity rewrite operations are not present under the LDAP section.

Can you help me here?

stealthmode · ‎09-07-2015

Got the answer. But, really thanks for this useful bit of info. :-)

jarjones · ‎10-04-2018

Hello abhsha,

How did you solve this? I am connecting the AD via LDAP as well.

mcarassale · ‎07-30-2020

HI,

how did you solve this? im having the same issue

Tobias Svensson · ‎09-07-2015

If its the LDAP connector youre using you can specify 'cn' as 'Subject Name Attribute' instead under the General tab.

Tobias Svensson · ‎09-07-2015

You can define attributes that you reference under External Identity Sources->Your AD->Attributes.

You could change to SamAccountName here for instance, which is your username only instead of UserPrincipalName which is username@domain.

ISE authenticating AD users with only domain name included