ISE authentication across 2 domains

bkoch1 · ‎09-22-2016

I have some users that are in both domain A and B. VPN authentications fail because of: 24704 Authentication failed because identity credentials are ambiguous

Is there a way to only search one domain (domain A), and not the other?

Jatin Katyal · ‎09-22-2016

You can configured identity re-write on ISE.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/ISE-ADIntegrationDoc/b_ISE-ADIntegration.html#concept_477DBF7BF0164628B0F2A471CEF445D5

Regards, - Jatin

~Jatin

bkoch1 · ‎09-22-2016

The login being sent is yy0172. These are the messages from the radius livelog:

24343 RPC Logon request succeeded - yy0172@hcs.ad.try.edu
24343 RPC Logon request succeeded - yy0172@try.ad.try.edu

So both domain suffixes are being found, and then the request is being denied for being "ambiguous".

jrabinow · ‎09-22-2016

There is the "Authentication Domains" section with the Active Directory configuration that can be used to select a subset of domains against which authentication is performed against

from on-line help on this area

The domain to which Cisco ISE is joined to has visibility to other domains with which it has a trust relationship. By default, Cisco ISE is set to permit authentication against all those trusted domains. You can restrict interaction with the Active Directory deployment to a subset of authentication domains. Configuring authentication domains enables you to select specific domains for each join point so that the authentications are performed against the selected domains only.