Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2056
Views
0
Helpful
3
Replies

Multiple Matches for users with two AD accounts.

joeharb
Level 5
Level 5

‎04-29-2021 06:36 AM

We have specific users that have both an Admin account and a normal account.  We are using EAP-TLS and have found that they fail authentication.  ISE responds with a:

 

 24324Identity resolution detected multiple matching accounts
 24417User's Groups retrieval from Active Directory failed

 

The radius user name is from the first.lastname@csiweb.com.  I am trying to determine what attributes are being retrieved that makes it think that the accounts are the same...the sAMAccount and UPN are different in AD.

Would the debug logs give me some of this information?

Thanks,

Joe

0 Helpful
3 Replies 3

joeharb
Level 5
Level 5

‎04-29-2021 07:35 AM

Currently we are using Subject Alternate Name, I think I can change this the Common Name to resolve the issue, is there a best practices or which fits best for that particular deployment.

 

Thanks,

 

Joe

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎04-30-2021 10:58 PM

CSCvu35802 Shared email for AD users fail to retrieve groups,ISE shows multiple account found in forest

might be what you are hitting.

0 Helpful

joeharb
Level 5
Level 5
In response to hslai

‎05-03-2021 09:28 AM

Thanks for the response, in looking at the Bug, I don't know if I can change to UPN as the UPN reflects our internal domain @csi.corp, while the username is @csiweb.com (from the Subject Alt Name).  I am going to test with the Certificate profile change the Common Name as that seems to be unique.  

 

Thanks,

 

Joe

0 Helpful
Customers Also Viewed These Support Documents