cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3602
Views
0
Helpful
1
Replies

ISE Identity Rewrite question and sytax

Madura Malwatte
Level 4
Level 4

I have a requirement to change identity before its passed to Active Directory. I understand this can be done with Identity Rewrite feature on ISE 2.6 here . We are getting the following NTLM errors hence why we are trying to resolve this:

"NTLM authentication failed for user ad.domain\shortname@ad.domain.
Reason: user name does not exist."

We want to rewrite identity fromad.domain\shortname@ad.domain to ad.domain\firstname.lastname@company.domain

Questions:

1. What is the syntax to do firstname.lastname@company.domain? What do I use instead of [IDENTITY] to get the firstname and lastname?

2. What tells the client to send the shortname@ad.domain name instead of say AD-User-Qualified-Name which I can see from the radius live logs is firstname.lastname@[DOMAIN]

3. Will making this change cause any impact to authentications? I did a test user lookup from ISE external identity Active Directory and look up for shortname@ad.domain and firstname.lastname@company.domain are both successful. 

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

Hi @Madura Malwatte 

 

Here is some more information I found on how this setup works

 

From what I can see, this is a pattern match, and you can create any number of patterns. The "[IDENTITY]" is just a placeholder and the name "IDENTITY" has no special meaning/significance - it's just a variable like "X" or "Y". The key thing is the pattern matching. You have to construct a pattern of the expected INPUT, and then create the output pattern. But never in this process is there a special lookup (e.g. resolve arne.bier@mydomain to mydomain\abier - that's beyond what this re-write can do.

 

As for the question of what makes the client send shortname@domain instead of first.last@domain ... are you doing MSChapV2 auth? In that case it's what the user typed in. And if it's EAP-TLS then it depends what you told ISE to look at in the certificate (Certificate Authentication Profile)

 

I think the ISE search mechanism for AD lookups is more complex than we think. It doesn't just search for the UPN (User Principal Name - e.g. abier@mydomain) but it will search for other fields too. This link might shed some more light I hope. I have never quite understood it either, because AD is a bit more complex than I thought - and ISE is a bit of a black box - so in the end when things "just work" by accident, we are oblivious - but when they don't, then we are forced to try and understand how ISE is actually working under the hood.

 

I found that I can lookup myself in AD using either the biera@mydomain, or arne.bier@myemail.domain - note that my AD domain and email domain are not the same.

Have a look what your user Attributes are when you perform a lookup in ISE (External Identities > AD > Test User)

 

View solution in original post

1 Reply 1

Arne Bier
VIP
VIP

Hi @Madura Malwatte 

 

Here is some more information I found on how this setup works

 

From what I can see, this is a pattern match, and you can create any number of patterns. The "[IDENTITY]" is just a placeholder and the name "IDENTITY" has no special meaning/significance - it's just a variable like "X" or "Y". The key thing is the pattern matching. You have to construct a pattern of the expected INPUT, and then create the output pattern. But never in this process is there a special lookup (e.g. resolve arne.bier@mydomain to mydomain\abier - that's beyond what this re-write can do.

 

As for the question of what makes the client send shortname@domain instead of first.last@domain ... are you doing MSChapV2 auth? In that case it's what the user typed in. And if it's EAP-TLS then it depends what you told ISE to look at in the certificate (Certificate Authentication Profile)

 

I think the ISE search mechanism for AD lookups is more complex than we think. It doesn't just search for the UPN (User Principal Name - e.g. abier@mydomain) but it will search for other fields too. This link might shed some more light I hope. I have never quite understood it either, because AD is a bit more complex than I thought - and ISE is a bit of a black box - so in the end when things "just work" by accident, we are oblivious - but when they don't, then we are forced to try and understand how ISE is actually working under the hood.

 

I found that I can lookup myself in AD using either the biera@mydomain, or arne.bier@myemail.domain - note that my AD domain and email domain are not the same.

Have a look what your user Attributes are when you perform a lookup in ISE (External Identities > AD > Test User)