08-10-2012 02:11 AM - edited 03-10-2019 07:24 PM
Hi
I have configured on our ISE to use AD-users as sponsors. And this works perfect.
but I'm also trying to configure an internal user, for the sponsor portal.
I Have configured it almost the same way so i don't understand why the ISE is reporting :
Sponsor authentication has failed : Sponsorgroup not found for user
My identity store is a sequence for AD and internal users, and i can see from the log that it looks in the right place :
Identity Store: | Internal Users |
My condition is that the internal user, should be a member of identity group : sponsorAllAccount
my identity group :
Identity Group: | SponsorAllAccount |
and then get a created sponsor group, this sponsor grop that is allocated to the condition, works fine for det AD-users.
Evaluating Identity Policy |
5435 Sponsor authentication has failed |
any suggestions of why ? I'm now running the lastes 1.1.1 version.
Br
Tuva
Solved! Go to Solution.
08-22-2012 02:28 AM
Yes,
For your internal groups use the preconfigured identity group condition on the left.
I don't know why this is a option on the left it hasn't worked for me in authorization policies either.
Thanks
Sent from Cisco Technical Support iPad App
08-10-2012 11:08 PM
The username that you created in the internal database is it the same username in AD? There for the username is present in AD but the password is different and therfore failing authentication?
Check the authentication report and see which user database that ISE checked before rejecting the user.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-13-2012 12:25 AM
Hi Tarik
thanks for the answer.
I'm certain that the user does not exist in the AD domain, anyhow, then my log would tell me that the authentication failed because of wrong password !?
I can se from the log that the ISE is doing lookup in the internal database.
this is output from he logging :
Identity Store: | Internal Users |
I have ,made a identity store sequence with both AD and internal users.
Br
Tuva
08-13-2012 02:15 PM
Do you have the option "Treat as if the user was not found and proceed to the next store in the sequence" enabled?
Thanks,
Tarik Admani
*Please rate helpful posts*
08-17-2012 02:05 AM
Hi
I'm pretty sure (don't have the chance to confirm it 110% for sure) but on monday I will be at the customer site again so I can check.
But i find it strange that the ISE does the lookup in the internal DB if this was not enabled.
The logging says that it is the sponsor group that the ISE can't find for the user.
But the sponsorgroup is created and the user name has been "attached" to this sponsor group.
This sponsor group is also used by the AD users.
thanks for your replies !
08-17-2012 03:58 AM
thanks,
Its much easier if you post screenshots of the authentication entry that fails.
Tarik Admani
*Please rate helpful posts*
08-21-2012 02:12 AM
08-21-2012 03:49 PM
08-22-2012 01:18 AM
Hi Tarik
thanks for the reply
I'm not sure if I understand you right
from thje right to the left ? Is my condition wrong ? : )
Br
Tuva
08-22-2012 02:28 AM
Yes,
For your internal groups use the preconfigured identity group condition on the left.
I don't know why this is a option on the left it hasn't worked for me in authorization policies either.
Thanks
Sent from Cisco Technical Support iPad App
10-05-2012 02:10 PM
Hi Tarik
I would like to check if the guest user (not the sponsor user) is either in the local Identity Group OR the defined AD group. But the check on the left in the authorization rule is AND, or am I wrong?
If I checked it with two Authz single conditions (one for AD group OR one for Local group) then local users failed. Maybe I have to make two rules, like you can see here:
Thanks in advance and best regards
Dominic
Sent from Cisco Technical Support Android App
10-06-2012 09:28 AM
That is correct, this is the best way to configure this in my opinion and this is the method I use.
Tarik Admani
*Please rate helpful posts*
10-07-2012 03:58 AM
Hi Tarik
thanks for your feedback.
Best regards
Dominic
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide