Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
474
Views
10
Helpful
2
Replies

ISE 2.3 not looking up users with certain upn suffix

bobw80
Level 1
Level 1

‎10-24-2018 11:48 AM

We are standing up our ISE 2.3 env and the node has been configured and joined to AD.

 

The problem we are running into is that some of our UPN suffixes are not returning a successful query when we run the test user lookup command.

 

We have 8 alternate suffixes defined in our domain and the lookup query is looking with all but 2 of them so I do not feel it is AD related because by it returning successfully for 6 of the 8 suffixes tells me that ISE can query the global catalog and find a match.

 

I feel it is DNS related and it not having all suffixes indicated as valid or "mapped" correctly there. We use Infoblox DNS that I do not manage so I am trying to get ahold of the admin to have them also look there but also trying to see if there are similar experiences someone can share and what may have resolved it for them.

 

Thank you.

0 Helpful
2 Replies 2

hslai
Cisco Employee
Cisco Employee

‎10-24-2018 12:13 PM

If possible, please open a TAC case to investigate, as your deployment involving several alternative UPN suffices.

If you would like to check yourself first, then please turn the debugging level to TRACE for the component Active Directory and check ad_agent.log during the issue recreated.

packetplumber9
Level 1
Level 1

‎10-24-2018 12:30 PM

If you think it could be related to DNS, have you verified that all SRV records for all 8 domains are resolvable by the ISE nodes?  Compare the 6 that are working to the 2 that are not working. 

Customers Also Viewed These Support Documents