03-28-2018 04:23 AM - edited 02-21-2020 10:52 AM
Hi All,
I have a question , and i hope someone can help me with this one.
Currently i have an distributed deployment of 8 ISE nodes (software 2.3 with Patch 1 + 2).
The ISE is joined with an Active directory an all is working.
However:
We have some users that have 2 Active directory accounts (one for testing and one for production).
Both accounts have an different User Principal Name (UPN) but the account have the same mail attribute.
I read in the Cisco Documentation that default check for UPN+MAIL. See quote below:
• Cisco ISE also permits an identity that appears to be a UPN to also match the user’s mail attribute, that is, it searches for
“identity=matching UPN or email”. Some users log in with their email name (often via a certificate) and not a real underlying UPN. This is implicitly done if the identity looks like an email address.
Is it possible to change this behavior to UPN only?
I tried using an Authorization Policy to match UPN only but ISE still does the Mail + UPN lookup.
I also tried the Rewrite function for ISE and AD but still no luck.
Right now user is getting denied because of :
24324 Identity resolution detected multiple matching accounts
24478 Error while validating the user or host in Active Directory; the IdentityAccessRestricted flag is not altered
When i query Active Directory from the External Identies tab than i get:
"A duplicate user record was found "
Thanks for your replies and attention.
Solved! Go to Solution.
11-06-2019 08:39 PM
Please open a TAC case so that TAC may guide you how to tweak the registry setting for this, as the fix for CSCvg56578.
04-05-2018 04:01 AM
Hello,
I am also looking for this feature. Did you get this solved?
04-11-2018 05:28 AM
I'm still searching around. If I find an solution then i will let you know
10-31-2019 01:33 PM
Hey,
But it works with UPN alone. Why You need email attribute?
11-06-2019 08:39 PM
Please open a TAC case so that TAC may guide you how to tweak the registry setting for this, as the fix for CSCvg56578.
11-07-2019 10:40 AM
@hslai wrote:
Please open a TAC case so that TAC may guide you how to tweak the registry setting for this, as the fix for CSCvg56578.
Also make sure you're running recommended release of ISE 2.4 or higher with latest patch.
https://community.cisco.com/t5/security-news/announcing-ise-2-6-as-suggested-release/ba-p/3953488
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: