I need to authenticate wireless network users from two different domains
There is trust between domains and ISE joined abc.company.com and it can authenticate and authorize users without issues.
Users from cde.company.com cannot be authenticated (I don't even get to authorization part).
My identity source list has only External ID listed and when I see what is the reason of failure, message states that Authentication has failed (not authorization) because user cannot be found in any identity listed.
Now, users from abc and cde companies are logging with their usernames only. Should they try to login with cde.company\username or something?
If you have trust between "abc.cde.company.com" and "cde.company.com" then it has to work without issues.
If you have single-sign-on then the machine will autocomplete the domain name even if you only specify the user.
If you don't have single-sign-on, then you have to scecify the domain name. For example cde\username or firstname.lastname@example.org
You can verify that trust is working by going to "Administration > Identity management > external identity source > active directory > attributes > add > select attributes from directory" There you can type cde\username and if you get the attributes that means you have a trust relationship between cde and abc.
If you were able to search the user attributes in the above test and confirm that trust has been established. After that you may have to add a UPN suffix or NETBIOS prefix to the username when authenticating to a domain that the ISE is not joined to (Trusted domain), including the child domains.
22056 Subject not found in the applicable identity store(s)
Looking at the above message, it seems the authentication request got stuck at the identity store as user not found there. Is DNS resolution working fine for your trusted domain from the ISE. Could you please login to ISE CLI and issue:
In case it works fine then you may need to fetch the debug level ISE-AD communication from ACS.
If there is trust between domain and it should work fine. As you are stuck user not found error you have to cross check that you are able to reach the AD from ISE or not. Perform network trace and also check DNS resolution.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...