Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4017
Views
26
Helpful
7
Replies

ISE : Active Directory integration long usernames sAMAccountname

tbostrom
Cisco Employee
Cisco Employee

‎08-27-2013 10:29 AM - edited ‎03-10-2019 08:49 PM

Have a customer deploying ISE for wireless authentication using PEAP-MSCHAPv2.  They've encountered an issue where some users with long usernames are failing authentication to ISE.  ISE logs that the user is not found in the user database (Active Directory).

Upon further review, it appears that ISE is using the sAMAccountname as the username token to authenticate against.

sAMAccountname is limited to 20 characters. 

Customer is running a full Windows 2008 domain and users login to the domain using their User Principal Name (no 20 character limit).  Therefore, when the user creates a wireless connection and passes his Windows credentials to PEAP, it fails because the username is too long and ISE does not find user in AD database.

Is there a way to point ISE to use a different username token instead of sAMAccountname?  or is this a known issue?

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Ravi Singh
Level 7
Level 7

‎08-27-2013 07:12 PM

I don't think there is any way to increase the limit of 20 characters. You have to create to user name with 20 characters limit.

0 Helpful

tom.barat@dimensiondata.com
Level 1
Level 1

‎06-25-2021 05:39 AM

I ave the same issue with one of my clients.

Any chance this has been fixed in the last 7 years or someone found a workaround ?

victor.jaouen
Level 1
Level 1

‎06-30-2021 07:17 AM

Any update on this limitation ?

hslai
Cisco Employee
Cisco Employee

‎07-05-2021 09:35 AM

See 

  • CSCvf21978 ISE failing to resolve ambiguity for AD accounts
  • CSCvc86398 ISE 2.1 patch 2 some certificate authentications fail

tom.barat@dimensiondata.com
Level 1
Level 1
In response to hslai

‎07-06-2021 03:00 AM

Thank you for sharing these bugs.

They don't match exactly our issue (bugs mention issues for short usernames, we have issues with long ones) but it might help the TAC find the issue faster.

 

Have a nice day.

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to tom.barat@dimensiondata.com

‎07-18-2021 02:33 AM

Hi Tom

do u have any conclusions on the case with TAC? i'd highly appreciate.

tom.barat@dimensiondata.com
Level 1
Level 1
In response to andy!doesnt!like!uucp

‎07-19-2021 10:01 AM

Hello,

 

No, i wanted to collect logs before opening the TAC case but the users running into this issue are on vacation currently.

 

I'll be sure to update once this is solved in our environment.

 

Have a nice day,

Best regards.

0 Helpful
Customers Also Viewed These Support Documents