Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6556
Views
0
Helpful
6
Replies

ISE using 2 domains with trust established

Go to solution
Tim Lewis
Level 1
Level 1

‎07-11-2013 02:12 PM - edited ‎03-10-2019 08:38 PM

Hi,

I need to authenticate wireless network users from two different domains

abc.company.com

cde.company.com

There is trust between domains and ISE joined abc.company.com and it can authenticate and authorize users without issues.

Users from cde.company.com cannot be authenticated (I don't even get to authorization part).

My identity source list has only External ID listed and when I see what is the reason of failure, message states that Authentication has failed (not authorization) because user cannot be found in any identity listed.

Now, users from abc and cde companies are logging with their usernames only. Should they try to login with cde.company\username or something?

Has anyone done this before?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎07-14-2013 10:46 PM

Hi you may want to check the ad logs after seeing them to trace mode. Also check the trust type and make sure it is set to external.


Sent from Cisco Technical Support Android App

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Eduardo Aliaga
Level 4
Level 4

‎07-11-2013 03:46 PM

If you have trust between "abc.cde.company.com" and "cde.company.com" then it has to work without issues.

If you have single-sign-on then the machine will autocomplete the domain name even if you only specify the user.

If you don't have single-sign-on, then you have to scecify the domain name. For example cde\username or username@cdp.company.com

You can verify that trust is working by going to "Administration > Identity management > external identity source > active directory > attributes > add > select attributes from directory" There you can type cde\username and if you get the attributes that means you have a trust relationship between cde and abc.

Please rate if this helps

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎07-12-2013 04:24 AM

If you were able to search the user attributes in the above test and confirm that trust has been established. After that you may have to add a UPN suffix or NETBIOS prefix to the username when authenticating to a domain that the ISE is not joined to (Trusted domain), including the child domains.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
Tim Lewis
Level 1
Level 1
In response to Jatin Katyal

‎07-12-2013 08:46 AM

I have trust. I can get the user information with cde\user and  user@cde.company.com, but authentication is still not working. So, I see  the user, but it is still not being authenticated by the policy.

Here is log:

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

Evaluating Service Selection Policy

15048  Queried PIP

15048  Queried PIP

15004  Matched rule

11507  Extracted EAP-Response/Identity

12300  Prepared EAP-Request proposing PEAP with challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated

12318  Successfully negotiated PEAP version 0

12800  Extracted first TLS record; TLS handshake started

12805  Extracted TLS ClientHello message

12806  Prepared TLS ServerHello message

12807  Prepared TLS Certificate message

12810  Prepared TLS ServerDone message

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

12318  Successfully negotiated PEAP version 0

12812  Extracted TLS ClientKeyExchange message

12804  Extracted TLS Finished message

12801  Prepared TLS ChangeCipherSpec message

12802  Prepared TLS Finished message

12816  TLS handshake succeeded

12509  EAP-TLS full handshake finished successfully

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

12313  PEAP inner method started

11521  Prepared EAP-Request/Identity for inner EAP method

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

11522  Extracted EAP-Response/Identity for inner EAP method

11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated

Evaluating Identity Policy

15006  Matched Default Rule

15013  Selected Identity Store - AD-Suffolk

24430  Authenticating user against Active Directory

24412  User not found in Active Directory

22056  Subject not found in the applicable identity store(s)

22058  The advanced option that is configured for an unknown user is used

22062  The 'Drop' advanced option is configured in case of a failed authentication request

12315  PEAP inner method finished with failure

22028  Authentication failed and the advanced options are ignored

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Tim Lewis

‎07-12-2013 09:58 AM

24412  User not found in Active Directory

22056  Subject not found in the applicable identity store(s)

Looking at the above message, it seems the authentication request got stuck at the identity store as user not found there. Is DNS resolution working fine for your trusted domain from the ISE. Could you please login to ISE CLI and issue:

nslookup trusted-domain

In case it works fine then you may need to fetch the debug level ISE-AD communication from ACS.

btw, what version of ISE are you running?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
Ravi Singh
Level 7
Level 7

‎07-14-2013 07:19 PM

If there is trust between domain and it should work fine. As you are stuck user not found error you have to cross check that you are able to reach the AD from ISE or not. Perform network trace and also check DNS resolution.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎07-14-2013 10:46 PM

Hi you may want to check the ad logs after seeing them to trace mode. Also check the trust type and make sure it is set to external.


Sent from Cisco Technical Support Android App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents