11-13-2022 09:58 AM
Hello all ,
I have Cisco ISE and the integration between the ISE and the active directory is done.
The user when he access the SW, routers, Palo Alto and F5 gets authentication from ISE by TACACS , but with FMC Using the radius
The problem :
1- any user from active directory can't open the FMC but any local user from (ISE) working fine
2- can't access any device by adel@internal.XXXXXX.com should be use internal\adel
error
Test Username : adel@internal.XXXXXX.com
ISE NODE : ISE1.internal.XXXXXXX.com
Scope : Default_Scope
Instance : ISE
Authentication Result : FAILED
Error : Identity not found; some of the domains were not available
Processing Steps:
14:57:49:713: Resolving identity - adel@internal.XXXXX.com
14:57:49:713: Search for matching accounts at join point - internal.XXXXX.com
14:57:49:715: DNS server returned error - internal.XXXXX.com,ERROR_DNS_ERROR_DOMAIN_NOT_FOUND
14:57:49:715: LDAP search in forest failed - internal.XXXXXX.com,ERROR_DOMAIN_IS_OFFLINE
14:57:49:715: Identity resolution detected no matching account
14:57:49:715: Identity resolution failed - ERROR_NO_SUCH_USER_SOME_DOMAINS_NOT_AVAILABLE
11-13-2022 11:08 AM
Since ISE processing steps show clear what’s going wrong, what is your question?
14:57:49:715: DNS server returned error - internal.XXXXX.com,ERROR_DNS_ERROR_DOMAIN_NOT_FOUND
14:57:49:715: LDAP search in forest failed - internal.XXXXXX.com,ERROR_DOMAIN_IS_OFFLINE
Now you have to figure out, why the user wasn’t found. ISE offers AD troubleshooting tools, run test and try user login (try also domain\username form)
does AD authentication work with other policies
also in ad_agent.log you may be able to find some information.
I can also remember a famous Bug with UPN field in some ISE versions, check also Bug list
here are some more troubleshooting advices
11-13-2022 01:28 PM
@Abdelrahman salah wrote:
...
2- can't access any device by adel@internal.XXXXXX.com should be use internal\adel
...
If internal.XXXXXX.com not your active directory domain, then you would likely need identity rewrite. See ISE Identity Rewrite question and sytax
11-15-2022 05:16 PM
Hi ,
I think this bug not affetcetd at version 3.1.0.518 and installed the 3.1.0.518 patch 1 but the issue is not solved .
still can't access any device by radel@internal.XXXXXX.com should be use internal\radel . Despite the fact that I can open any PC by radel@internal.XXXXXXX.com
11-19-2022 05:00 PM
@Abdelrahman salah As you said the Windows PC able to use UPN but ISE can't. This might relate to the configurations, such as DNS servers, that affect how ISE able to find the active directory domain.
I would suggest engaging Cisco TAC to troubleshoot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide