Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2970
Views
0
Helpful
3
Replies

ISE authentication across 2 domains

bkoch1
Level 1
Level 1

‎09-22-2016 12:06 PM - edited ‎03-11-2019 12:06 AM

I have some users that are in both domain A and B. VPN authentications fail because of: 24704 Authentication failed because identity credentials are ambiguous

Is there a way to only search one domain (domain A), and not the other?

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Jatin Katyal
Cisco Employee
Cisco Employee

‎09-22-2016 12:14 PM

You can configured identity re-write on ISE.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/ISE-ADIntegrationDoc/b_ISE-ADIntegration.html#concept_477DBF7BF0164628B0F2A471CEF445D5

Regards, - Jatin

~Jatin
0 Helpful

bkoch1
Level 1
Level 1
In response to Jatin Katyal

‎09-22-2016 02:00 PM

The login being sent is yy0172. These are the messages from the radius livelog:

24343 RPC Logon request succeeded - yy0172@hcs.ad.try.edu
24343 RPC Logon request succeeded - yy0172@try.ad.try.edu

So both domain suffixes are being found, and then the request is being denied for being "ambiguous".

0 Helpful

jrabinow
Level 7
Level 7
In response to bkoch1

‎09-22-2016 02:47 PM

There is the "Authentication Domains" section with the Active Directory configuration that can be used to select a subset of domains against which authentication is performed against

from on-line help on this area

The domain to which Cisco ISE is joined to has visibility to other domains with which it has a trust relationship. By default, Cisco ISE is set to permit authentication against all those trusted domains. You can restrict interaction with the Active Directory deployment to a subset of authentication domains. Configuring authentication domains enables you to select specific domains for each join point so that the authentications are performed against the selected domains only.

0 Helpful
Customers Also Viewed These Support Documents