cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2679
Views
37
Helpful
6
Replies

Same username in two domains.

Janne K.
Level 1
Level 1

What would be the correct setup in ise for allowing accounts from different AD's but same username to log into my wireless.

 

E.G. tomparis@voyager.com exist in the first domain and tomparis@bridge.voyager.com exist in the second domain. Both with the same username.
The account belongs to the same person, and changing the username for one of them is in my case not an option because of other infrastructure that depend on it.

 

I have a fair amount of users that have the same 'problem' and want to find a more suitable solution than asking the user to actually write either @voyager.com or @bridge.voyager.com, as many users have no idea when to use the one or the other.

 

Would it work if i create two identical authentication policy where the first one looks into the voyager.com and i set the option to

'if auth fail' -> CONTINUE

'if User not found' -> CONTINUE

and then the second policy to look into the bridge.voyager.com with the options to

'if auth fail' -> REJECT

'if User not found' -> REJECT

 

I'm not sure if this works.

6 Replies 6

Nadia Bbz
Level 1
Level 1

Hello ;

it will be easy if you work with group, you create group in DC and you add users authorized to connect after that in authorization policy you add condition with external group created

howon
Cisco Employee
Cisco Employee

Do users have same password on both accounts? If so you can use identity rewrite to change the username before it gets forwarded to AD: Screen Shot 2021-09-20 at 10.00.49 AM.png

Janne K.
Level 1
Level 1

@Nadia BbzYes, we already implement groups, but ise is matching the user from the wrong AD.


@howonThey do not have the same password for the two accounts.

 

As a workaround right now i have changed the order in the Identity Source Sequences so that it checks the other domain first where the 'correct' user is.

Hello ;

did you added all the domain in Administration -> identity Management -> External Identity Sources -> Active directory

in Identity Source Sequence  have you added all domains in authentication search list

hslai
Cisco Employee
Cisco Employee

Try using the built-in All_AD_Join_Points or an AD scope.

 

Below are the results from my tests using the Advanced Tools > Test User for All Join Points

Test Username : test
ISE NODE : ise-1.demo.local
Scope : All_AD_Join_Points
Authentication Result : SUCCESS

Authentication Domain : demo.local
User found in Instance : demoAD
User Principal Name : test@demo.local
User Distinguished Name : CN=test,CN=Users,DC=demo,DC=local

Groups : 2 found.
Attributes : 32 found.

Authentication time : 117 ms.
Groups fetching time : 2 ms.
Attributes fetching time : 5 ms.

Processing Steps:
05:38:02:717: Resolving identity - test
05:38:02:717: Search for matching accounts at join point - demo.local
05:38:02:723: Single matching account found in forest - demo.local
05:38:02:723: Search for matching accounts at join point - ise.local
05:38:02:729: Single matching account found in forest - ise.local
05:38:02:729: Identity resolution detected multiple matching accounts
05:38:02:738: RPC Logon request succeeded - test@demo.local
05:38:02:833: RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,test@ise.local

 

Test Username : test
ISE NODE : ise-1.demo.local
Scope : All_AD_Join_Points
Authentication Result : SUCCESS

Authentication Domain : ise.local
User found in Instance : iseAD
User Principal Name : test@ise.local
User Distinguished Name : CN=test,CN=Users,DC=ise,DC=local

Groups : 2 found.
Attributes : 32 found.

Authentication time : 61 ms.
Groups fetching time : 11 ms.
Attributes fetching time : 6 ms.

Processing Steps:
05:39:14:866: Resolving identity - test
05:39:14:866: Search for matching accounts at join point - demo.local
05:39:14:873: Single matching account found in forest - demo.local
05:39:14:873: Search for matching accounts at join point - ise.local
05:39:14:879: Single matching account found in forest - ise.local
05:39:14:879: Identity resolution detected multiple matching accounts
05:39:14:916: RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,test@demo.local
05:39:14:926: RPC Logon request succeeded - test@ise.local

 

I do have a custom AD scope that has both blue.red.com and red.com in the authentication search list.

 

But in my case it never checks the blue.red.com domain if it finds the username in the red.com domain.

 

My workaround was to change the order in which ISE looks at the domains.

 

The perfect solution for me would be ISE looking up both domains and then using the one that authenticates successfull,
I just dont see any way to get that working in my setup.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: