Solved: ISE username determination?

jeff.grisso · ‎04-15-2022

Hello, I had a question about Cisco ISE 2.4. I'm troubleshooting an intermittent 802.1x auth failure on macOS supplicants joining our corp WiFi.

When comparing a successful auth and a failed auth from the same client/user, we're seeing the username presented in the Cisco ISE live logs be first.last@company.com in the failed auth entries and ADshortname@ad.company.com in the successful auth entries.

I was wondering, what is the process that ISE uses to determine one format vs the other? I think if I knew this, it would help me focus my investigation into the client.

We are using AD issued user certificates for 802.1x/EAP-TLS auth to out corp WiFi. The user's company email (first.last@company.com) is set in both the certificates CN and SAN values. the users AD shortname is not present in the certificate. ISE's Identity Rewrite rules were also checked and found not to apply. (verified by event `24358 Match was not found for any existing identity rewrite rule` in successful auths by the same endpoint)

Arne Bier · ‎04-19-2022

Hi @jeff.grisso

Have you tried looking up the account first.last@company.com manually in ISE External Identity Sources under 'Test User' ? Use the 'Lookup' option from the dropdown, since there is no password for this instance. That should tell you whether the ISE AD Lookup logic can resolve this identity or not.

I also sometimes have to read this ancient document, which is quite revealing about the innards of ISE's AD processing - have a look - it might contain some wisdom too.

In general though, if your ISE Certificate Authentication Profile (under Admin > Identity Management > External Identity Sources) is correct, then ISE will take that CN and use it as a lookup in AD (if that's what you asked it to do). You don't need to lookup a cert's identity in AD (select the option 'Identity Store [not applicable]') - you can simply extract the username, and then proceed to the Authorization stage in ISE where you can perform checks like AD Security Group membership - in that case ISE will retrieve the user's AD Groups for you.

View solution in original post

hslai · ‎04-20-2022

Adding to the other responses...

[Shortname]@AD.[company].com is the User Principal Name (UPN) format. What you (jeff.grisso) observed is expected.

View solution in original post

Flavio Miranda · ‎04-16-2022

When it show up with username probably it is presenting the user certificate and when it show up the domain it does not presented the user certificate or maybe it is presenting the machine certificate. Either way I dont think this is a ISE problem. It seems to me more like a supplicante problem.

Mike.Cifelli · ‎04-16-2022

I am with @Flavio Miranda on the thought that this could be supplicant related and not ISE. I would start with verifying supplicant settings. If this issue is only occurring on a bucket of clients and not all clients then I would do a comparison between supplicant configurations.

jeff.grisso · ‎04-18-2022

I tried to take it step-by step by doing wireshark captured and halting the client between phases:

It looks like my Macs are submitting the local user name [ADShortname] in the initial EAP "Response, Identity".

At this time the "User Name" in ISE matches this shrotname and is retained in the ISE records as the RADIUS Username.

As EAP proceeds, the clients submits the user's Certificate (CN/SAN is the user's corp email address), the "User Name" is ISE then seems to update from the ADShorntame to the user's email.

As ISE hears back from AD about cert validity, the "User Name" updates again in ISE to [Shortname]@AD.[company].com.

This is what I'm seeing anyway... is this expected behavior?

Arne Bier · ‎04-19-2022

Hi @jeff.grisso

Have you tried looking up the account first.last@company.com manually in ISE External Identity Sources under 'Test User' ? Use the 'Lookup' option from the dropdown, since there is no password for this instance. That should tell you whether the ISE AD Lookup logic can resolve this identity or not.

I also sometimes have to read this ancient document, which is quite revealing about the innards of ISE's AD processing - have a look - it might contain some wisdom too.

In general though, if your ISE Certificate Authentication Profile (under Admin > Identity Management > External Identity Sources) is correct, then ISE will take that CN and use it as a lookup in AD (if that's what you asked it to do). You don't need to lookup a cert's identity in AD (select the option 'Identity Store [not applicable]') - you can simply extract the username, and then proceed to the Authorization stage in ISE where you can perform checks like AD Security Group membership - in that case ISE will retrieve the user's AD Groups for you.

hslai · ‎04-20-2022

Adding to the other responses...

[Shortname]@AD.[company].com is the User Principal Name (UPN) format. What you (jeff.grisso) observed is expected.