Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2035
Views
0
Helpful
8
Replies

ISE 1.1 EAP-TLS User Authentication in Multiforest

alex.dersch
Level 4
Level 4

‎06-27-2012 07:58 AM - edited ‎03-10-2019 07:14 PM

Hello,

we are currently evaluating the ISE 1.1 in a multiforest environment and we have problems to authenticate users which based in other domains (domain2) then the ISE (domain) is based.

This is the setup:

In domain1 is a MSFT CA with OCSP, DC and ISE

In domain2 is a DC and the users

there is a two way trust between the domains.

This is my authentication scenario:

1. agent connect to a wireless network (ok)

2. client exchanges certificate information with ISE (ok)

3. ISE exchanges certificate status with CA (ok)

4. ISE extracts the subject Alternative Name from the certificate dersa@domain2.ch (ok)

5. ISE queries Active Directory store for the user  dersa@domain2.ch (not ok fails with  22056 Subject not found)

in the log i can see the other forest (domain2) is not even queried to retrieve user data only domain1.

I could query the other domain during AD setup and was able to add groups from the other domain bet i could retrieve attributes of the user in domain2.

Any Ideas?

Regards

Alex

Extract from Log File

DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 executing request 'CAPIGetObjectByName' in thread 2951601040

DIAG  <fd:34 CAPIGetObjectByName > daemon.ipcclient2 doCAPIGetObjectByName: category=Person

name=dersa@domain2.ch

options=2

DEBUG <fd:34 CAPIGetObjectByName > dns.findsrv FindSrvFromDns(0): _kerberos._tcp.domain2.ch

DEBUG <fd:34 CAPIGetObjectByName > base.adagent.domaininfo rejecting domain domain2.ch.  Blocked, not in DNS or our domain list

DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject ADNames:

dersa@domain2.ch#012name

:

dersa@domain2.ch

type=SAM domain=domain1.LAN#012

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(

sAMAccountName=dersa@domain2.ch

)), attrs 7e638646 (cacheOps=40f, GC=0)

DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 60, cutoff time 0, refresh 15, negative=true, cacheOps 40f

DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper.ad Cache expired 96fe94aa2a7249bca2f59766075e7859, CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN

DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.10:389 search base="DC=domain1,DC=lan" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(

sAMAccountName=dersa@domain2.ch

))"

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects

DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=96fe94aa2a7249bca2f59766075e7859>;CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN : update indexes No

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(

sAMAccountName=dersa@domain2.ch

)), attrs e4a3aa15 (cacheOps=40f, GC=1)

DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 40f

DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.9:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(

sAMAccountName=dersa@domain2.ch

))"

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects

DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=7c68c59bc09f4775a14d6a7f521e491c>;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes No

DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject: NotFound:dersa@domain2.ch Category:user

DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache making negative response for Person userPrincipalName="

dersa@domain2.ch

" (GC=0)

DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=972f489502d74f49afdef7f38206e909>;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=domain1,DC=LAN : update indexes Yes

DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper

'dersa@domain2.ch'

is not a canonical name

DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 request 'CAPIGetObjectByName' complete DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 executing request 'CAPIGetObjectByName' in thread 2951601040
DIAG  <fd:34 CAPIGetObjectByName > daemon.ipcclient2 doCAPIGetObjectByName: category=Person name=dersa@domain2.ch options=2
DEBUG <fd:34 CAPIGetObjectByName > dns.findsrv FindSrvFromDns(0): _kerberos._tcp.domain2.ch
DEBUG <fd:34 CAPIGetObjectByName > base.adagent.domaininfo rejecting domain domain2.ch.  Blocked, not in DNS or our domain list
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject ADNames: dersa@domain2.ch#012name: dersa@domain2.ch type=SAM domain=domain1.LAN#012
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch)), attrs 7e638646 (cacheOps=40f, GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 60, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper.ad Cache expired 96fe94aa2a7249bca2f59766075e7859, CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN
DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.10:389 search base="DC=domain1,DC=lan" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch))"
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=96fe94aa2a7249bca2f59766075e7859>;CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch)), attrs e4a3aa15 (cacheOps=40f, GC=1)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.9:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=dersa@domain2.ch))"
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=7c68c59bc09f4775a14d6a7f521e491c>;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject: NotFound:dersa@domain2.ch Category:user
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache making negative response for Person userPrincipalName="dersa@domain2.ch" (GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=972f489502d74f49afdef7f38206e909>;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=domain1,DC=LAN : update indexes Yes
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper 'dersa@domain2.ch' is not a canonical name
DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 request 'CAPIGetObjectByName' complete

Labels:
0 Helpful
8 Replies 8

alex.dersch
Level 4
Level 4

‎06-27-2012 10:35 AM

I was now able to query user attributes from domain2, i had to provide the username in this format domain2\username. I believe this is the problem i am sending the username in the wrong format. If i would be able to modify the format from username@domain.ch to domain\username everything would be fine.

regards

alex

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to alex.dersch

‎06-27-2012 10:45 AM

Alex,

We need to see if the dns server is able to resolve the domain2, if you issue a nslookup for domain2 what do you show, do you receive any responses? I would start there and see what that turns up. Also what type of trust do you have enabled between domain1 and domain2, ISE uses kerberos to authenticate these users so we need to see if you have an external trust configured between these domains then authentication will fail since kerberos is not allowed. Please use a forest trust which allows kerberos and that should fix your issue.

If you were using acs 4.2 at one point then it would have worked because that uses ntlm auth.

Here is an article for reference:

http://setspn.blogspot.com/2009/09/ad-external-trusts-and-kerberos.html

Thanks,

Tarik Admani

0 Helpful

alex.dersch
Level 4
Level 4
In response to Tarik Admani

‎06-27-2012 10:54 AM

Hello Tarik,

the trust type is forest Trust. As i mentioned, i was able to retrieve user attributes when i do it in the active directory configuration procedure. What matters at the moment is the format of the username. I have to send it as domai\username. But i can't achieve this with Binary Certificate Comparisation.

regards

alex

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to alex.dersch

‎06-27-2012 11:05 AM

Alex,

It looks like ISE is unable to contact the GC for domain2, are you able to resolve domain2? In the case you are able to resolve the name using netbios, now when you upn (xxx@xxx.xx) that requires dns to be operational since it looks up the dns domain and then sends the user request to the domain GC, my assumption is when you netbios it sends the request to domain1's GC and then it is able to authenticate the user through the trust. I am not an AD expert but I am assuming that is why one is working over the other.

When issue a dns query on the ISE cli for domain2 do you receive any GC's in the response?

Thanks

tarik admani

0 Helpful

alex.dersch
Level 4
Level 4
In response to Tarik Admani

‎06-27-2012 11:17 AM

Tarik,

from the ISE cli i can nslookup domain2.lan and i get this result

nos-ch-wbn-ise1/admin# nslookup domain2.lan

Trying "domain2.lan"

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57373

;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 5

;; QUESTION SECTION:

;domain2.lan.              IN      ANY

;; ANSWER SECTION:

domain2.lan.       600     IN      A       192.168.68.21

domain2.lan.       600     IN      A       172.28.1.3

domain2.lan.       600     IN      A       172.28.1.2

domain2.lan.       600     IN      A       192.168.68.20

domain2.lan.       3600    IN      NS      labdc01.lab.lan.

domain2.lan.       3600    IN      NS      labdc02.lab.lan.

domain2.lan.       3600    IN      NS      labex01.lab.lan.

domain2.lan.       3600    IN      NS      bsdehepdc01.domain2.lan.

domain2.lan.       3600    IN      NS      bsdehepfs01.domain2.lan.

domain2.lan.       3600    IN      NS      mordor.softlink.ch.

domain2.lan.       3600    IN      NS      shire.softlink.ch.

domain2.lan.       3600    IN      NS      labex02.lab.lan.

domain2.lan.       3600    IN      NS      icm60.icm60domain.lan.

domain2.lan.       3600    IN      NS      bsfs02.domain2.lan.

domain2.lan.       3600    IN      NS      bsfs03.domain2.lan.

domain2.lan.       3600    IN      SOA     bsfs02.domain2.lan. admin.domain2.lan. 217091 900 600 86400 3600

;; ADDITIONAL SECTION:

labdc01.lab.lan.        3600    IN      A       172.28.2.196

bsdehepdc01.domain2.lan. 311 IN    A       192.168.68.20

bsdehepfs01.domain2.lan. 2771 IN   A       192.168.68.21

bsfs02.domain2.lan. 1649   IN      A       172.28.1.2

bsfs03.domain2.lan. 595    IN      A       172.28.1.3

So i assume dns is working fine.

Do i have to see the GC of the trusted domain as well in the ISE Active Directory Configuration ?

thanks & regards

Alex

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to alex.dersch

‎06-27-2012 11:27 AM

The best thing at this point is to open a SR with TAC since the nslookup commands wont allow you to look for GCs through the cli.

if you are looking for a quick solution what you can do is configure the second domain as an ldap instance since you are using eap-tls. Then you can create and identity store sequence that will check AD then LDAP.

I did notice the following replies:

domain2.lan.       3600    IN      NS      mordor.softlink.ch.

domain2.lan.       3600    IN      NS      shire.softlink.ch.

I dont know why these servers are being sent in the response.

Thanks,

Tarik Admani

0 Helpful

alex.dersch
Level 4
Level 4
In response to alex.dersch

‎06-27-2012 11:34 AM

Hello Tarik,

those are external servers from our provider, i have to verify with them why this is like it is. At the moment i have multiple ldap in the production environment with my ACS.

I don't if i can open tac cases with eval versions.

i'll try

regards

Alex

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to alex.dersch

‎06-30-2012 08:35 PM

Alex,

We're you able to get the DNS info cleaned up.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents