cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1032
Views
4
Helpful
6
Replies

Cisco ISE 2.2 Patch 9 - User Groups Ignored for External Identity Sources(AD)?

Colton
Level 1
Level 1

Good Day,

I have recently updated my ISE deployment to patch 9 as suggested by others but now I am having issues with my 802.1x setup.

Running 2 Active Directory Domains which are both connected to ISE. Single SSID running 802.1X tags a user with VLAN 1 or VLAN 2 based on their domain. (Example numbers)

Domain 1 = Admin

Domain 2 = Education

It was working before where it would reference only users from the groups listed but now it seems that when a user attempts to authenticate with Domain 1 Credentials ISE will find a duplicate account on Domain 2 listed in a group that is not approved for inspection.

Is this a known bug with Patch 9 for ISE 2.2?

Still fairly new to ISE and have been trying to set it up for my organization over the last several months and this has been one non-stop headache ever since. Seems I fix one thing only to break everything else that was working Beyond frustrating.

6 Replies 6

hslai
Cisco Employee
Cisco Employee

ISE has been changing how it resolves a subject or username in AD in recent ISE releases or patches while addressing issues, such as CSCvf21978.

I would suggest you to engage Cisco TAC to troubleshoot and advise on any advanced tuning settings.

Hi Hsing

The bug ID does a fair bit of explaining, which is a pleasant surprise in terms of how most bugs are written!  Does Cisco have a document that explains how ISE 2.4 identity resolution works, especially in the context of ambiguity?

As you know, I have a customer with 10 forests and a user can potentially exist multiple times in each forest.  When users don't specify their domain during an auth request, then ISE will search all the whitelisted domains.  But then the details get fuzzy.

  • What is the search order, if there is more than one domain in the search list?
  • How does ISE treat disabled accounts?
  • And which AD user attribute(s) does it match on (is it one, or a combination ?)
  • What does ISE consider to be a match? (i.e. what criteria have to be satisfied?  e.g. account=active, UPN matches User-Name, password matches)

In most simple cases where customers only join one AD Domain, and users provide their "AD login account details" during 802.1X then the solution just works and nobody cares about the details.  But I am interested in the case where multiple domains are joined, and where ambiguity exists.

thanks in advance

Arne

I'm actually interested if that information is documented anywhere too.  Even in the simple cases where a customer has a single domain I have seen issues. 


One client that had some machine accounts with the same name as users.  ISE was matching the machine account when the user provided credentials and continuously failing with an "invalid password".  Not sure if the lookup mechanism changed since, in that case they just removed the stale machine accounts.

The current AD guide is Active Directory Integration with Cisco ISE 2.x, but it might reflect all the recent changes. Our doc team is working to provide some better documentation.

On search order, the searches are almost concurrent but the order does not really matter, as ISE checks for all applicable domains.

On disabled accounts, ISE would fail authentications on them. If lookup only, it's possible to check for NetworkAccess:IdentityAccessRestricted, but matching AD groups and attributes would fail.

On AD attributes for subject without a domain qualifier and/or common name as mentioned in CSCvf21978 for users. For computers, also servicePrincipalName.

On ID match, disabled accounts are still considered to check for passwords.

thanks for the document.  I don't think I have ever seen that one   The ISE 2.3 document was revised May 31 2018 so it's pretty up to date

Another very good in-depth session on AD Connector is BRKSEC-2132 "What’s new in ISE Active Directory Connector" (available on CiscoLive.com/online) by lead engineer and expert on topic, Chris Murray.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: