07-11-2013 02:12 PM - edited 03-10-2019 08:38 PM
Hi,
I need to authenticate wireless network users from two different domains
abc.company.com
cde.company.com
There is trust between domains and ISE joined abc.company.com and it can authenticate and authorize users without issues.
Users from cde.company.com cannot be authenticated (I don't even get to authorization part).
My identity source list has only External ID listed and when I see what is the reason of failure, message states that Authentication has failed (not authorization) because user cannot be found in any identity listed.
Now, users from abc and cde companies are logging with their usernames only. Should they try to login with cde.company\username or something?
Has anyone done this before?
Thanks.
Solved! Go to Solution.
07-14-2013 10:46 PM
Hi you may want to check the ad logs after seeing them to trace mode. Also check the trust type and make sure it is set to external.
Sent from Cisco Technical Support Android App
07-11-2013 03:46 PM
If you have trust between "abc.cde.company.com" and "cde.company.com" then it has to work without issues.
If you have single-sign-on then the machine will autocomplete the domain name even if you only specify the user.
If you don't have single-sign-on, then you have to scecify the domain name. For example cde\username or username@cdp.company.com
You can verify that trust is working by going to "Administration > Identity management > external identity source > active directory > attributes > add > select attributes from directory" There you can type cde\username and if you get the attributes that means you have a trust relationship between cde and abc.
Please rate if this helps
07-12-2013 04:24 AM
If you were able to search the user attributes in the above test and confirm that trust has been established. After that you may have to add a UPN suffix or NETBIOS prefix to the username when authenticating to a domain that the ISE is not joined to (Trusted domain), including the child domains.
~BR
Jatin Katyal
**Do rate helpful posts**
07-12-2013 08:46 AM
I have trust. I can get the user information with cde\user and user@cde.company.com, but authentication is still not working. So, I see the user, but it is still not being authenticated by the policy.
Here is log:
11001 Received RADIUS Access-Request |
11017 RADIUS created a new session |
Evaluating Service Selection Policy |
15048 Queried PIP |
15048 Queried PIP |
15004 Matched rule |
11507 Extracted EAP-Response/Identity |
12300 Prepared EAP-Request proposing PEAP with challenge |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated |
12318 Successfully negotiated PEAP version 0 |
12800 Extracted first TLS record; TLS handshake started |
12805 Extracted TLS ClientHello message |
12806 Prepared TLS ServerHello message |
12807 Prepared TLS Certificate message |
12810 Prepared TLS ServerDone message |
12305 Prepared EAP-Request with another PEAP challenge |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12304 Extracted EAP-Response containing PEAP challenge-response |
12318 Successfully negotiated PEAP version 0 |
12812 Extracted TLS ClientKeyExchange message |
12804 Extracted TLS Finished message |
12801 Prepared TLS ChangeCipherSpec message |
12802 Prepared TLS Finished message |
12816 TLS handshake succeeded |
12509 EAP-TLS full handshake finished successfully |
12305 Prepared EAP-Request with another PEAP challenge |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12304 Extracted EAP-Response containing PEAP challenge-response |
12313 PEAP inner method started |
11521 Prepared EAP-Request/Identity for inner EAP method |
12305 Prepared EAP-Request with another PEAP challenge |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12304 Extracted EAP-Response containing PEAP challenge-response |
11522 Extracted EAP-Response/Identity for inner EAP method |
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge |
12305 Prepared EAP-Request with another PEAP challenge |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12304 Extracted EAP-Response containing PEAP challenge-response |
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated |
Evaluating Identity Policy |
15006 Matched Default Rule |
15013 Selected Identity Store - AD-Suffolk |
24430 Authenticating user against Active Directory |
24412 User not found in Active Directory |
22056 Subject not found in the applicable identity store(s) |
22058 The advanced option that is configured for an unknown user is used |
22062 The 'Drop' advanced option is configured in case of a failed authentication request |
12315 PEAP inner method finished with failure |
22028 Authentication failed and the advanced options are ignored |
07-12-2013 09:58 AM
24412 User not found in Active Directory
22056 Subject not found in the applicable identity store(s)
Looking at the above message, it seems the authentication request got stuck at the identity store as user not found there. Is DNS resolution working fine for your trusted domain from the ISE. Could you please login to ISE CLI and issue:
nslookup trusted-domain
In case it works fine then you may need to fetch the debug level ISE-AD communication from ACS.
btw, what version of ISE are you running?
~BR
Jatin Katyal
**Do rate helpful posts**
07-14-2013 07:19 PM
If there is trust between domain and it should work fine. As you are stuck user not found error you have to cross check that you are able to reach the AD from ISE or not. Perform network trace and also check DNS resolution.
07-14-2013 10:46 PM
Hi you may want to check the ad logs after seeing them to trace mode. Also check the trust type and make sure it is set to external.
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide