04-29-2021 06:36 AM
We have specific users that have both an Admin account and a normal account. We are using EAP-TLS and have found that they fail authentication. ISE responds with a:
24324 | Identity resolution detected multiple matching accounts | |
24417 | User's Groups retrieval from Active Directory failed |
The radius user name is from the first.lastname@csiweb.com. I am trying to determine what attributes are being retrieved that makes it think that the accounts are the same...the sAMAccount and UPN are different in AD.
Would the debug logs give me some of this information?
Thanks,
Joe
04-29-2021 07:35 AM
Currently we are using Subject Alternate Name, I think I can change this the Common Name to resolve the issue, is there a best practices or which fits best for that particular deployment.
Thanks,
Joe
04-30-2021 10:58 PM
CSCvu35802 Shared email for AD users fail to retrieve groups,ISE shows multiple account found in forest
might be what you are hitting.
05-03-2021 09:28 AM
Thanks for the response, in looking at the Bug, I don't know if I can change to UPN as the UPN reflects our internal domain @csi.corp, while the username is @csiweb.com (from the Subject Alt Name). I am going to test with the Certificate profile change the Common Name as that seems to be unique.
Thanks,
Joe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide