Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE using 2 domains with trust established

Hi,

I need to authenticate wireless network users from two different domains

abc.company.com

cde.company.com

There is trust between domains and ISE joined abc.company.com and it can authenticate and authorize users without issues.

Users from cde.company.com cannot be authenticated (I don't even get to authorization part).

My identity source list has only External ID listed and when I see what is the reason of failure, message states that Authentication has failed (not authorization) because user cannot be found in any identity listed.

Now, users from abc and cde companies are logging with their usernames only. Should they try to login with cde.company\username or something?

Has anyone done this before?

Thanks.

  • AAA Identity and NAC
Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions

Re:ISE using 2 domains with trust established

Hi you may want to check the ad logs after seeing them to trace mode. Also check the trust type and make sure it is set to external.


Sent from Cisco Technical Support Android App

Tarik Admani *Please rate helpful posts*
6 REPLIES

ISE using 2 domains with trust established

If you have trust between "abc.cde.company.com" and "cde.company.com" then it has to work without issues.

If you have single-sign-on then the machine will autocomplete the domain name even if you only specify the user.

If you don't have single-sign-on, then you have to scecify the domain name. For example cde\username or username@cdp.company.com

You can verify that trust is working by going to "Administration > Identity management > external identity source > active directory > attributes > add > select attributes from directory" There you can type cde\username and if you get the attributes that means you have a trust relationship between cde and abc.

Please rate if this helps

Cisco Employee

ISE using 2 domains with trust established

If you were able to search the user attributes in the above test and confirm that trust has been established. After that you may have to add a UPN suffix or NETBIOS prefix to the username when authenticating to a domain that the ISE is not joined to (Trusted domain), including the child domains.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

ISE using 2 domains with trust established

I have trust. I can get the user information with cde\user and  user@cde.company.com, but authentication is still not working. So, I see  the user, but it is still not being authenticated by the policy.

Here is log:

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

Evaluating Service Selection Policy

15048  Queried PIP

15048  Queried PIP

15004  Matched rule

11507  Extracted EAP-Response/Identity

12300  Prepared EAP-Request proposing PEAP with challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated

12318  Successfully negotiated PEAP version 0

12800  Extracted first TLS record; TLS handshake started

12805  Extracted TLS ClientHello message

12806  Prepared TLS ServerHello message

12807  Prepared TLS Certificate message

12810  Prepared TLS ServerDone message

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

12318  Successfully negotiated PEAP version 0

12812  Extracted TLS ClientKeyExchange message

12804  Extracted TLS Finished message

12801  Prepared TLS ChangeCipherSpec message

12802  Prepared TLS Finished message

12816  TLS handshake succeeded

12509  EAP-TLS full handshake finished successfully

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

12313  PEAP inner method started

11521  Prepared EAP-Request/Identity for inner EAP method

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

11522  Extracted EAP-Response/Identity for inner EAP method

11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated

Evaluating Identity Policy

15006  Matched Default Rule

15013  Selected Identity Store - AD-Suffolk

24430  Authenticating user against Active Directory

24412  User not found in Active Directory

22056  Subject not found in the applicable identity store(s)

22058  The advanced option that is configured for an unknown user is used

22062  The 'Drop' advanced option is configured in case of a failed authentication request

12315  PEAP inner method finished with failure

22028  Authentication failed and the advanced options are ignored

Cisco Employee

ISE using 2 domains with trust established

24412  User not found in Active Directory

22056  Subject not found in the applicable identity store(s)

Looking at the above message, it seems the authentication request got stuck at the identity store as user not found there. Is DNS resolution working fine for your trusted domain from the ISE. Could you please login to ISE CLI and issue:

nslookup trusted-domain

In case it works fine then you may need to fetch the debug level ISE-AD communication from ACS.

btw, what version of ISE are you running?

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**

ISE using 2 domains with trust established

If there is trust between domain and it should work fine. As you are stuck user not found error you have to cross check that you are able to reach the AD from ISE or not. Perform network trace and also check DNS resolution.

Re:ISE using 2 domains with trust established

Hi you may want to check the ad logs after seeing them to trace mode. Also check the trust type and make sure it is set to external.


Sent from Cisco Technical Support Android App

Tarik Admani *Please rate helpful posts*
748
Views
0
Helpful
6
Replies