cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3329
Views
0
Helpful
3
Replies

ISE authentication across 2 domains

bkoch1
Level 1
Level 1

I have some users that are in both domain A and B. VPN authentications fail because of: 24704 Authentication failed because identity credentials are ambiguous

Is there a way to only search one domain (domain A), and not the other?

3 Replies 3

Jatin Katyal
Cisco Employee
Cisco Employee

You can configured identity re-write on ISE.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/ISE-ADIntegrationDoc/b_ISE-ADIntegration.html#concept_477DBF7BF0164628B0F2A471CEF445D5

Regards, - Jatin

~Jatin

The login being sent is yy0172. These are the messages from the radius livelog:

24343 RPC Logon request succeeded - yy0172@hcs.ad.try.edu
24343 RPC Logon request succeeded - yy0172@try.ad.try.edu

So both domain suffixes are being found, and then the request is being denied for being "ambiguous".

There is the "Authentication Domains" section with the Active Directory configuration that can be used to select a subset of domains against which authentication is performed against

from on-line help on this area

The domain to which Cisco ISE is joined to has visibility to other domains with which it has a trust relationship. By default, Cisco ISE is set to permit authentication against all those trusted domains. You can restrict interaction with the Active Directory deployment to a subset of authentication domains. Configuring authentication domains enables you to select specific domains for each join point so that the authentications are performed against the selected domains only.