- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2018 11:06 AM
Hello,
I have ISE VM 2.0.0.306 which is using RADIUS authentication just for AAA.
I am having a certificate issue with our Palo Alto remote access VPN. When the client connects their VPN the firewall looks at the User Principal Name which is "username@domainname.com" in some cases it might be "username@other.domainname.com"
The problem is the authentication doesn't work because the firewall is supposed to only send the username of the UPN when authenticating to LDAP. It should not be sending anything after the '@' symbol.
If I send the VPN authentication request to ISE would it be possible for ISE to strip everything after the @ symbol and then authenticate against AD?
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2018 11:35 AM
Definitely. Check out:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20.pdf
Specifically "Identity Rewrite". You can put square brackets around any part of the identity you wish and then tokenize as you see fit. After ISE performs the changes you wish, it will then authenticate with that identity.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2018 11:35 AM
Definitely. Check out:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20.pdf
Specifically "Identity Rewrite". You can put square brackets around any part of the identity you wish and then tokenize as you see fit. After ISE performs the changes you wish, it will then authenticate with that identity.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2018 02:39 PM
Thanks!
It addresses my issue but now I have a certificate problem. I pointed the firewall to ISE for Radius authentication of VPN users.
ISE has a certificate form the issuing CA and so do the clients but the Firewall is saying there is a self signed cert in the chain when VPN users enter their credentials.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2018 02:44 PM
Make sure client presented to endpoints is from a well know root. If you don’t have this and using your own PKI then the complete chain needs to be trusted on the clients.
