11-30-2016 01:56 AM - edited 03-11-2019 12:15 AM
Hi,
I am running ISE 1.3 and have encountered some problem with PEAP. We mostly use email to login in to our BYOD network. The problem occurs when the user have two accounts in AD and have their email in both accounts and the accounts have different passwords.
This is what happens:
The user connects to the wifi with email@externaldomain.com and a password
ISE does a Resolve Identity on email@externaldomain.com
Multiple matching accounts in forest - internaldomain
RPC Logon request failed for Account2 (wrong password)
RPC Logon request succeded för Account1 (correct password)
Authentication failed because identity credentials are ambiguous.
Is there any way to fix so that ISE only check email agains one of the accounts? Account1 is the account that users use for login to their PC and Account2 for administrative stuff.
I have looked at rewrite rules, but have not found one that can fix this.
Regards,
Philip
11-30-2016 05:39 AM
Hi Philip,
Depending on how you AD is setup you can split them into different OU groups for instance OU=USERS & OU=ADMIN
Then you can have an Authz policy pointing to the USERS group.
Cheers
Ant
11-30-2016 06:14 AM
Hi,
ISE checks if a user exist in a domain before it checks groups in AD.
The accounts are in different groups. And the authorization rule already have a condition to check if account1 is in a specific group that account2 isn't.
Regards
Philip
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: