TEAP Failed User

Leonardo Santana · ‎01-09-2026

Hi,

Our customer is using 2xCisco ISE 3.4 P3 integrated with AD.

They have two domains xyz.com and aaa.com.

Cisco ISE is configured at the domain xyz.com

We are using TEAP for dot1x and the computer authentication is working. Only the user authentication is failling.

The computer certificate is using the as SAN the name.zyz.com and the user certificate is using the other domain user@aaa.com.

The user domain is an alias.

How ISE will look this? Because the user authentication is failling. The domain must be the same for users and computers?

Regards
Leonardo Santana

*** Rate All Helpful Responses***

Cristian Matei · ‎01-09-2026

Hi,

The two domains, xyzzy.com and aaa.com are totally separate domains, or part of a forest with trust in between?

ISE is integrated only with domain xyz.com?

The user certificate SAN is user@aaa.com?

SAN / Identity of computer and user don't need to be part of the same domain or have the same domain extension, it's a matter of proper integration and configuration on ISE side. Can you post a print-screen with the authentication failure message from ISE?

Thanks,

Cristian.

Leonardo Santana · ‎01-10-2026

Hi,

The two domains, xyzzy.com and aaa.com are totally separate domains, or part of a forest with trust in between?

The xyz.com is a domain and aaa.com is just an alias.

ISE is integrated only with domain xyz.com? Yes

The user certificate SAN is user@aaa.com? Yes

The aaa.com is not under allowed domains at Cisco ISE.

Regards
Leonardo Santana

*** Rate All Helpful Responses***