cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

742
Views
10
Helpful
5
Replies
jeff.grisso
Beginner

ISE username determination?

Hello, I had a question about Cisco ISE 2.4. I'm troubleshooting an intermittent 802.1x auth failure on macOS supplicants joining our corp WiFi.

When comparing a successful auth and a failed auth from the same client/user, we're seeing the username presented in the Cisco ISE live logs be first.last@company.com in the failed auth entries and ADshortname@ad.company.com in the successful auth entries. 

 

I was wondering, what is the process that ISE uses to determine one format vs the other?  I think if I knew this, it would help me focus my investigation into the client.

 

We are using AD issued user certificates for 802.1x/EAP-TLS auth to out corp WiFi. The user's company email (first.last@company.com) is set in both the certificates CN and SAN values. the users AD shortname is not present in the certificate. ISE's Identity Rewrite rules were also checked and found not to apply. (verified by event `24358    Match was not found for any existing identity rewrite rule` in successful auths by the same endpoint

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Arne Bier
VIP Advisor

Hi @jeff.grisso 

 

Have you tried looking up the account  first.last@company.com manually in ISE External Identity Sources under 'Test User' ? Use the 'Lookup' option from the dropdown, since there is no password for this instance. That should tell you whether the ISE AD Lookup logic can resolve this identity or not.

 

I also sometimes have to read this ancient document, which is quite revealing about the innards of ISE's AD processing - have a look - it might contain some wisdom too. 

 

In general though, if your ISE Certificate Authentication Profile (under Admin > Identity Management > External Identity Sources) is correct, then ISE will take that CN and use it as a lookup in AD (if that's what you asked it to do). You don't need to lookup a cert's identity in AD (select the option 'Identity Store [not applicable]') - you can simply extract the username, and then proceed to the Authorization stage in ISE where you can perform checks like AD Security Group membership - in that case ISE will retrieve the user's AD Groups for you.

View solution in original post

hslai
Cisco Employee

Adding to the other responses...

[Shortname]@AD.[company].com is the User Principal Name (UPN) format. What you (jeff.grisso) observed is expected.

View solution in original post

5 REPLIES 5
Flavio Miranda
Advisor

When it show up with username probably it is  presenting  the user certificate and when it show up the domain it does not presented the user certificate or maybe it is presenting the machine certificate. Either way I dont think this is a ISE problem. It seems to me more like a supplicante problem.

 

Mike.Cifelli
VIP Advisor

I am with @Flavio Miranda on the thought that this could be supplicant related and not ISE.  I would start with verifying supplicant settings.  If this issue is only occurring on a bucket of clients and not all clients then I would do a comparison between supplicant configurations.

jeff.grisso
Beginner

I tried to take it step-by step by doing wireshark captured and halting the client between phases:

It looks like my Macs are submitting the local user name [ADShortname] in the initial EAP "Response, Identity".

 

At this time the "User Name" in ISE matches this shrotname and is retained in the ISE records as the RADIUS Username. 

As EAP proceeds, the clients submits the user's Certificate (CN/SAN is the user's corp email address), the "User Name" is ISE then seems to update from the ADShorntame to the user's email.

 

As ISE hears back from AD about cert validity, the "User Name" updates again in ISE to [Shortname]@AD.[company].com.  

 

This is what I'm seeing anyway... is this expected behavior? 

Arne Bier
VIP Advisor

Hi @jeff.grisso 

 

Have you tried looking up the account  first.last@company.com manually in ISE External Identity Sources under 'Test User' ? Use the 'Lookup' option from the dropdown, since there is no password for this instance. That should tell you whether the ISE AD Lookup logic can resolve this identity or not.

 

I also sometimes have to read this ancient document, which is quite revealing about the innards of ISE's AD processing - have a look - it might contain some wisdom too. 

 

In general though, if your ISE Certificate Authentication Profile (under Admin > Identity Management > External Identity Sources) is correct, then ISE will take that CN and use it as a lookup in AD (if that's what you asked it to do). You don't need to lookup a cert's identity in AD (select the option 'Identity Store [not applicable]') - you can simply extract the username, and then proceed to the Authorization stage in ISE where you can perform checks like AD Security Group membership - in that case ISE will retrieve the user's AD Groups for you.

hslai
Cisco Employee

Adding to the other responses...

[Shortname]@AD.[company].com is the User Principal Name (UPN) format. What you (jeff.grisso) observed is expected.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube