Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2278
Views
0
Helpful
3
Replies

Strip @domain on LDAP Integration with Cisco ISE?

Go to solution
alig.norbert
Level 4
Level 4

‎02-21-2013 12:34 AM - edited ‎03-10-2019 08:06 PM

Hi there ,

I got a WLC conntect with a Cisco ISE. There are two SSID authenticated against the ISE.

One SSID has AD-Integration as External Identity Source, the other SSID is authenticated through LDAP.

Authentication ist working fine.

When an user authenticates through LDAP, he/she has to enter "username@domain". The protocol is EAP-GTC.

How can I change the ISE that the user has only to enter "username" and the "@domain" part ist already set on the ISE?

Thansk a lot,

Norbert

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
iskandar
Level 1
Level 1

‎02-01-2023 05:19 PM

I was having the same problem with ISE 3.1 while doing a TACACS POC using LDAP to windows AD for authentication. I wanted to be able to able to login with "username" instead of "username@domain".

*Assumption is being made that you have already created your LDAP connection to Windows AD.

Go to: External Identity Sources > Active Directory > LDAP > LDAP Identity Source "You Created" > General > Schema "Should be Active Directory > Drop Down Schema.

I changed the default "Subject Name Attribute" from "userPrincipalName" to "sAMAccountName" after referencing the ISE troubleshooting guide below.

After saving the change, you should be able login with just "username" now.

cisco_ise3.1-01.png

 

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216190-configure-and-troubleshoot-ise-with-exte.html

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎02-21-2013 03:14 AM

From the user guide it seems that LDAP only allows you to strip the prefix/suffix and can't add the suffix.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1054421

* Strip start of subject name up to the last occurrence of the separator

* Strip end of subject name from the first occurrence of the separator

Regards,

Jatin

Do rate helpful posts-

~Jatin
0 Helpful

Go to solution
alig.norbert
Level 4
Level 4
In response to Jatin Katyal

‎03-04-2013 05:42 AM

I have found it.

Under the LDAP Identity Source, tab General, Subject Name Attribute, "CN" must be entered.

Greets,

Norbert

0 Helpful

Go to solution
iskandar
Level 1
Level 1

‎02-01-2023 05:19 PM

I was having the same problem with ISE 3.1 while doing a TACACS POC using LDAP to windows AD for authentication. I wanted to be able to able to login with "username" instead of "username@domain".

*Assumption is being made that you have already created your LDAP connection to Windows AD.

Go to: External Identity Sources > Active Directory > LDAP > LDAP Identity Source "You Created" > General > Schema "Should be Active Directory > Drop Down Schema.

I changed the default "Subject Name Attribute" from "userPrincipalName" to "sAMAccountName" after referencing the ISE troubleshooting guide below.

After saving the change, you should be able login with just "username" now.

cisco_ise3.1-01.png

 

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216190-configure-and-troubleshoot-ise-with-exte.html

0 Helpful
Customers Also Viewed These Support Documents