Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1532
Views
0
Helpful
3
Replies

RADIUS authentication to strip '@domainname.com' from user principal name

Go to solution
waqas gondal
Level 1
Level 1

‎11-14-2018 11:06 AM

Hello,

 

I have ISE VM 2.0.0.306 which is using RADIUS authentication just for AAA.

 

I am having a certificate issue with our Palo Alto remote access VPN. When the client connects their VPN the firewall looks at the User Principal Name which is "username@domainname.com" in some cases it might be "username@other.domainname.com"

 

The problem is the authentication doesn't work because the firewall is supposed to only send the username of the UPN when authenticating to LDAP. It should not be sending anything after the '@' symbol. 

 

If I send the VPN authentication request to ISE would it be possible for ISE to strip everything after the @ symbol and then authenticate against AD?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nadav
Level 7
Level 7

‎11-14-2018 11:35 AM

Definitely. Check out:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20.pdf

 

Specifically "Identity Rewrite". You can put square brackets around any part of the identity you wish and then tokenize as you see fit. After ISE performs the changes you wish, it will then authenticate with that identity.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Nadav
Level 7
Level 7

‎11-14-2018 11:35 AM

Definitely. Check out:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20.pdf

 

Specifically "Identity Rewrite". You can put square brackets around any part of the identity you wish and then tokenize as you see fit. After ISE performs the changes you wish, it will then authenticate with that identity.

0 Helpful

Go to solution
waqas gondal
Level 1
Level 1
In response to Nadav

‎11-14-2018 02:39 PM

Thanks!

It addresses my issue but now I have a certificate problem. I pointed the firewall to ISE for Radius authentication of VPN users.

ISE has a certificate form the issuing CA and so do the clients but the Firewall is saying there is a self signed cert in the chain when VPN users enter their credentials.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to waqas gondal

‎11-14-2018 02:44 PM

Suggest you open a separate thread and provide screenshot of your trusted certificates.

Make sure client presented to endpoints is from a well know root. If you don’t have this and using your own PKI then the complete chain needs to be trusted on the clients.
0 Helpful
Customers Also Viewed These Support Documents
Top