cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
428
Views
0
Helpful
2
Replies

ISE 1.3 and AD integration

Hi,

I am running ISE 1.3 and have encountered some problem with PEAP. We mostly use email to login in to our BYOD network. The problem occurs when the user have two accounts in AD and have their email in both accounts and the accounts have different passwords.

This is what happens:

The user connects to the wifi with email@externaldomain.com and a password

ISE does a Resolve Identity on email@externaldomain.com

Multiple matching accounts in forest - internaldomain

RPC Logon request failed for Account2 (wrong password)

RPC Logon request succeded för Account1 (correct password)

Authentication failed because identity credentials are ambiguous.

Is there any way to fix so that ISE only check email agains one of the accounts? Account1 is the account that users use for login to their PC and Account2 for administrative stuff.

I have looked at rewrite rules, but have not found one that can fix this.

Regards,

Philip

2 Replies 2

aevans
Level 1
Level 1

Hi Philip,

Depending on how you AD is setup you can split them into different OU groups for instance OU=USERS & OU=ADMIN

Then you can have an Authz policy pointing to the USERS group.

Cheers

Ant

Hi,

ISE checks if a user exist in a domain before it checks groups in AD. 

The accounts are in different groups. And the authorization rule already have a condition to check if  account1 is in a specific group that account2 isn't.

Regards

Philip

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: