Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
582
Views
5
Helpful
4
Replies

ISE with FMC Issue

Abdelrahman salah
Level 1
Level 1

‎11-13-2022 09:58 AM

Hello all , 

I have Cisco ISE and the integration between the ISE and the active directory is done.

The user when he access the SW, routers, Palo Alto and F5 gets authentication from ISE by TACACS  , but with FMC Using the radius 

The problem :

1- any user from active directory can't open the FMC but any local user from  (ISE) working fine 

2- can't access any device by adel@internal.XXXXXX.com should be use internal\adel

error 

Test Username : adel@internal.XXXXXX.com
ISE NODE : ISE1.internal.XXXXXXX.com
Scope : Default_Scope
Instance : ISE

Authentication Result : FAILED

Error : Identity not found; some of the domains were not available


Processing Steps:
14:57:49:713: Resolving identity - adel@internal.XXXXX.com
14:57:49:713: Search for matching accounts at join point - internal.XXXXX.com
14:57:49:715: DNS server returned error - internal.XXXXX.com,ERROR_DNS_ERROR_DOMAIN_NOT_FOUND
14:57:49:715: LDAP search in forest failed - internal.XXXXXX.com,ERROR_DOMAIN_IS_OFFLINE
14:57:49:715: Identity resolution detected no matching account
14:57:49:715: Identity resolution failed - ERROR_NO_SUCH_USER_SOME_DOMAINS_NOT_AVAILABLE

 

4 Replies 4

Thomas Schmitt
Level 1
Level 1

‎11-13-2022 11:08 AM

Since ISE processing steps show clear what’s going wrong, what is your question?

14:57:49:715: DNS server returned error - internal.XXXXX.com,ERROR_DNS_ERROR_DOMAIN_NOT_FOUND
14:57:49:715: LDAP search in forest failed - internal.XXXXXX.com,ERROR_DOMAIN_IS_OFFLINE

Now you have to figure out, why the user wasn’t found. ISE offers AD troubleshooting tools, run test and try user login (try also domain\username form)

does AD authentication work with other policies 

also in ad_agent.log you may be able to find some information.

I can also remember a famous Bug with UPN field in some ISE versions, check also Bug list

here are some more troubleshooting advices

 

 

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎11-13-2022 01:28 PM

 

@Abdelrahman salah wrote:

...

2- can't access any device by adel@internal.XXXXXX.com should be use internal\adel

 

...

If internal.XXXXXX.com not your active directory domain, then you would likely need identity rewrite. See ISE Identity Rewrite question and sytax 

 

 

0 Helpful

Abdelrahman salah
Level 1
Level 1
In response to hslai

‎11-15-2022 05:16 PM

Hi , 

I think this bug not affetcetd at version 3.1.0.518 and installed the 3.1.0.518 patch 1 but the issue is not solved .

still can't access any device by radel@internal.XXXXXX.com should be use internal\radel . Despite the fact that I can open any PC by  radel@internal.XXXXXXX.com 

Abdelrahmansalah_0-1668561318554.png

 

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎11-19-2022 05:00 PM

@Abdelrahman salah As you said the Windows PC able to use UPN but ISE can't. This might relate to the configurations, such as DNS servers, that affect how ISE able to find the active directory domain.

I would suggest engaging Cisco TAC to troubleshoot.

0 Helpful
Customers Also Viewed These Support Documents