cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5080
Views
5
Helpful
5
Replies

Cisco ISE - AD Authentication Based on UPN only (instead of UPN + MAIL)

0924342halmans
Level 1
Level 1

Hi All, 

 

I have a question , and i hope someone can help me with this one. 

Currently i have an distributed deployment of 8 ISE nodes (software 2.3 with Patch 1 + 2). 

The ISE is joined with an Active directory an all is working. 

 

However: 

We have some users that have 2 Active directory accounts (one for testing and one for production). 

Both accounts have an different User Principal Name (UPN) but the account have the same mail attribute.

 

I read in the Cisco Documentation that default check for UPN+MAIL. See quote below: 

• Cisco ISE also permits an identity that appears to be a UPN to also match the user’s mail attribute, that is, it searches for
“identity=matching UPN or email”. Some users log in with their email name (often via a certificate) and not a real underlying UPN. This is implicitly done if the identity looks like an email address.

 

Is it possible to change this behavior to UPN only? 

 

I tried using an Authorization Policy to match UPN only but ISE still does the Mail + UPN lookup. 

I also tried the Rewrite function for ISE and AD but still no luck. 

 

Right now user is getting denied because of : 

24324 Identity resolution detected multiple matching accounts

24478 Error while validating the user or host in Active Directory; the IdentityAccessRestricted flag is not altered 

 

When i query Active Directory from the External Identies tab than i get: 

"A duplicate user record was found "

 

Thanks for your replies and attention. 

 

 

 

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Please open a TAC case so that TAC may guide you how to tweak the registry setting for this, as the fix for CSCvg56578.

View solution in original post

5 Replies 5

Mrkdelt91
Level 1
Level 1

Hello,

 

I am also looking for this feature. Did you get this solved? 

I'm still searching around. If I find an solution then i will let you know

Hey,

 

But it works with UPN alone. Why You need email attribute?

hslai
Cisco Employee
Cisco Employee

Please open a TAC case so that TAC may guide you how to tweak the registry setting for this, as the fix for CSCvg56578.


@hslai wrote:

Please open a TAC case so that TAC may guide you how to tweak the registry setting for this, as the fix for CSCvg56578.


Also make sure you're running recommended release of ISE 2.4 or higher with latest patch. 

https://community.cisco.com/t5/security-blogs/announcing-the-quot-suggested-release-quot-status-of-ise-2-4/ba-p/3775587

https://community.cisco.com/t5/security-news/announcing-ise-2-6-as-suggested-release/ba-p/3953488

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: