07-18-2018 01:03 PM
Good Day,
I have recently updated my ISE deployment to patch 9 as suggested by others but now I am having issues with my 802.1x setup.
Running 2 Active Directory Domains which are both connected to ISE. Single SSID running 802.1X tags a user with VLAN 1 or VLAN 2 based on their domain. (Example numbers)
Domain 1 = Admin
Domain 2 = Education
It was working before where it would reference only users from the groups listed but now it seems that when a user attempts to authenticate with Domain 1 Credentials ISE will find a duplicate account on Domain 2 listed in a group that is not approved for inspection.
Is this a known bug with Patch 9 for ISE 2.2?
Still fairly new to ISE and have been trying to set it up for my organization over the last several months and this has been one non-stop headache ever since. Seems I fix one thing only to break everything else that was working Beyond frustrating.
07-18-2018 03:07 PM
ISE has been changing how it resolves a subject or username in AD in recent ISE releases or patches while addressing issues, such as CSCvf21978.
I would suggest you to engage Cisco TAC to troubleshoot and advise on any advanced tuning settings.
07-18-2018 04:06 PM
Hi Hsing
The bug ID does a fair bit of explaining, which is a pleasant surprise in terms of how most bugs are written! Does Cisco have a document that explains how ISE 2.4 identity resolution works, especially in the context of ambiguity?
As you know, I have a customer with 10 forests and a user can potentially exist multiple times in each forest. When users don't specify their domain during an auth request, then ISE will search all the whitelisted domains. But then the details get fuzzy.
In most simple cases where customers only join one AD Domain, and users provide their "AD login account details" during 802.1X then the solution just works and nobody cares about the details. But I am interested in the case where multiple domains are joined, and where ambiguity exists.
thanks in advance
Arne
07-18-2018 04:26 PM
I'm actually interested if that information is documented anywhere too. Even in the simple cases where a customer has a single domain I have seen issues.
One client that had some machine accounts with the same name as users. ISE was matching the machine account when the user provided credentials and continuously failing with an "invalid password". Not sure if the lookup mechanism changed since, in that case they just removed the stale machine accounts.
07-18-2018 07:31 PM
The current AD guide is Active Directory Integration with Cisco ISE 2.x, but it might reflect all the recent changes. Our doc team is working to provide some better documentation.
On search order, the searches are almost concurrent but the order does not really matter, as ISE checks for all applicable domains.
On disabled accounts, ISE would fail authentications on them. If lookup only, it's possible to check for NetworkAccess:IdentityAccessRestricted, but matching AD groups and attributes would fail.
On AD attributes for subject without a domain qualifier and/or common name as mentioned in CSCvf21978 for users. For computers, also servicePrincipalName.
On ID match, disabled accounts are still considered to check for passwords.
07-18-2018 09:22 PM
thanks for the document. I don't think I have ever seen that one The ISE 2.3 document was revised May 31 2018 so it's pretty up to date
07-24-2018 12:29 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: