11-14-2018 11:06 AM
Hello,
I have ISE VM 2.0.0.306 which is using RADIUS authentication just for AAA.
I am having a certificate issue with our Palo Alto remote access VPN. When the client connects their VPN the firewall looks at the User Principal Name which is "username@domainname.com" in some cases it might be "username@other.domainname.com"
The problem is the authentication doesn't work because the firewall is supposed to only send the username of the UPN when authenticating to LDAP. It should not be sending anything after the '@' symbol.
If I send the VPN authentication request to ISE would it be possible for ISE to strip everything after the @ symbol and then authenticate against AD?
Solved! Go to Solution.
11-14-2018 11:35 AM
Definitely. Check out:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20.pdf
Specifically "Identity Rewrite". You can put square brackets around any part of the identity you wish and then tokenize as you see fit. After ISE performs the changes you wish, it will then authenticate with that identity.
11-14-2018 11:35 AM
Definitely. Check out:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20.pdf
Specifically "Identity Rewrite". You can put square brackets around any part of the identity you wish and then tokenize as you see fit. After ISE performs the changes you wish, it will then authenticate with that identity.
11-14-2018 02:39 PM
Thanks!
It addresses my issue but now I have a certificate problem. I pointed the firewall to ISE for Radius authentication of VPN users.
ISE has a certificate form the issuing CA and so do the clients but the Firewall is saying there is a self signed cert in the chain when VPN users enter their credentials.
11-14-2018 02:44 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide