09-20-2021 06:18 AM
What would be the correct setup in ise for allowing accounts from different AD's but same username to log into my wireless.
E.G. tomparis@voyager.com exist in the first domain and tomparis@bridge.voyager.com exist in the second domain. Both with the same username.
The account belongs to the same person, and changing the username for one of them is in my case not an option because of other infrastructure that depend on it.
I have a fair amount of users that have the same 'problem' and want to find a more suitable solution than asking the user to actually write either @voyager.com or @bridge.voyager.com, as many users have no idea when to use the one or the other.
Would it work if i create two identical authentication policy where the first one looks into the voyager.com and i set the option to
'if auth fail' -> CONTINUE
'if User not found' -> CONTINUE
and then the second policy to look into the bridge.voyager.com with the options to
'if auth fail' -> REJECT
'if User not found' -> REJECT
I'm not sure if this works.
09-20-2021 07:18 AM
Hello ;
it will be easy if you work with group, you create group in DC and you add users authorized to connect after that in authorization policy you add condition with external group created
09-20-2021 08:02 AM
Do users have same password on both accounts? If so you can use identity rewrite to change the username before it gets forwarded to AD:
09-21-2021 12:41 AM
@Nadia BbzYes, we already implement groups, but ise is matching the user from the wrong AD.
@howonThey do not have the same password for the two accounts.
As a workaround right now i have changed the order in the Identity Source Sequences so that it checks the other domain first where the 'correct' user is.
09-21-2021 02:33 AM
Hello ;
did you added all the domain in Administration -> identity Management -> External Identity Sources -> Active directory
in Identity Source Sequence have you added all domains in authentication search list
09-26-2021 10:42 PM
Try using the built-in All_AD_Join_Points or an AD scope.
Below are the results from my tests using the Advanced Tools > Test User for All Join Points
Test Username : test ISE NODE : ise-1.demo.local Scope : All_AD_Join_Points Authentication Result : SUCCESS Authentication Domain : demo.local User found in Instance : demoAD User Principal Name : test@demo.local User Distinguished Name : CN=test,CN=Users,DC=demo,DC=local Groups : 2 found. Attributes : 32 found. Authentication time : 117 ms. Groups fetching time : 2 ms. Attributes fetching time : 5 ms. Processing Steps: 05:38:02:717: Resolving identity - test 05:38:02:717: Search for matching accounts at join point - demo.local 05:38:02:723: Single matching account found in forest - demo.local 05:38:02:723: Search for matching accounts at join point - ise.local 05:38:02:729: Single matching account found in forest - ise.local 05:38:02:729: Identity resolution detected multiple matching accounts 05:38:02:738: RPC Logon request succeeded - test@demo.local 05:38:02:833: RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,test@ise.local
Test Username : test ISE NODE : ise-1.demo.local Scope : All_AD_Join_Points Authentication Result : SUCCESS Authentication Domain : ise.local User found in Instance : iseAD User Principal Name : test@ise.local User Distinguished Name : CN=test,CN=Users,DC=ise,DC=local Groups : 2 found. Attributes : 32 found. Authentication time : 61 ms. Groups fetching time : 11 ms. Attributes fetching time : 6 ms. Processing Steps: 05:39:14:866: Resolving identity - test 05:39:14:866: Search for matching accounts at join point - demo.local 05:39:14:873: Single matching account found in forest - demo.local 05:39:14:873: Search for matching accounts at join point - ise.local 05:39:14:879: Single matching account found in forest - ise.local 05:39:14:879: Identity resolution detected multiple matching accounts 05:39:14:916: RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,test@demo.local 05:39:14:926: RPC Logon request succeeded - test@ise.local
09-27-2021 12:47 AM
I do have a custom AD scope that has both blue.red.com and red.com in the authentication search list.
But in my case it never checks the blue.red.com domain if it finds the username in the red.com domain.
My workaround was to change the order in which ISE looks at the domains.
The perfect solution for me would be ISE looking up both domains and then using the one that authenticates successfull,
I just dont see any way to get that working in my setup.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: