01-28-2025 01:56 AM
Hi,
We want to sync the Users in DUO with the new function offered in Cisco ISE 3.3.
Configure ISE 3.3 Native Multi-factor Authentication with Duo - Cisco
This is working properly, the connection works and users are synced. The only problem we are facing is that in the past (with AD integration to DUO) we could define that the "userPrincipalName" is used as username. With the new solution it is using the "sAMAccountName".
We can change the username manually for each user, but with the next sync the user is added an additional time with the "sAMAccountName".
Is there a way that the username is changed automatically when the users are synced?
Solved! Go to Solution.
01-29-2025 06:27 AM
@dominikl I talked to someone on the ISE team and they confirmed the username source attribute in their sync is hardcoded to sAMAccountName.
I think you can contact TAC or your Cisco account team if you'd like to submit this as a feature enhancement to ISE (based on the answers in this post https://community.cisco.com/t5/network-access-control/ise-feature-requests/td-p/3685837).
01-28-2025 03:42 AM
01-28-2025 10:19 AM
Thanks for this suggestion, but the steps in that article are not relevant to the ISE API integrations.
01-28-2025 10:15 AM - edited 01-28-2025 10:50 AM
The ISE sync was developed by ISE, not by Duo, and does not exactly replicate options available in Duo's own directory sync.
I'm not aware of a way to change the source attribute for usernames in the ISE sync. You might want to ask in the ISE forum here https://community.cisco.com/t5/network-access-control/bd-p/discussions-network-access-control, or contact TAC to raise a support case for ISE.
ETA I see the official ISE product documentation for releases 3.3 and 3.4 does specify sAMAccountName is used as the source username attribute and does not mention the ability to select an alternate.
01-29-2025 06:27 AM
@dominikl I talked to someone on the ISE team and they confirmed the username source attribute in their sync is hardcoded to sAMAccountName.
I think you can contact TAC or your Cisco account team if you'd like to submit this as a feature enhancement to ISE (based on the answers in this post https://community.cisco.com/t5/network-access-control/ise-feature-requests/td-p/3685837).
01-29-2025 06:32 AM
@DuoKristina Thank you for your response and checking with our colleagues from the ISE Team. I will create a feature enhancement request for ISE to add this feature.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide