Re: ISE/WLC/AD - Creating a 802.1X SSID for Dual-Domain use with ISE

Colton · ‎07-13-2018

Good Morning,

I am currently working with a Distributed ISE Node Setup (2 Nodes) in a Dual Domain organization (Academic Users separated from Administrative Users). I am attempting to use a Single SSID on my WLC for 802.1X logins and have been attempting to allow users from domain X and Domain Z to both authenticate to the SSID which will then ideally tag them with the appropriate VLAN.

That is the end goal for the moment but currently, I have run into the following Issue:

ISE Version 2.2.0.470
Patch Information None

14:32:14:652: Identity resolution detected multiple matching accounts

Error: A Duplicate User Record Was Found

I have a test account setup on both Domains using the same credentials. They are using different mailing addresses and have some attributes that help make them unique but ideally, I will have to come up with a solution to this while maintaining my dream of a Single 802.1X SSID for the organization.

Does anyone have any experiences or suggestions with how to deal with duplicate accounts across joined domains on ISE? I can provide logs and additional information as needed.

Thank you for taking the time to read this.

Rasika Nayanajith · ‎07-13-2018

Though it is not related to your issue,I would highly recommend to apply latest patch (i think patch 9) to your ISE 2.2 environment.

"I have a test account setup on both Domains using the same credentials."

Do you expect this to be the case in your live setup (users will have same credentials in both domains). Typically different users will be in different groups in AD

Here is Cisco ISE AD Integration document that you should refer

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_20.pdf

HTH

Rasika