Cisco Cisco Identity Services Engine 2.1
During the rewrite, everything enclosed in square bracket [ ] (such as [IDENTITY]) is a variable that is not evaluated on the evaluation
side but instead added with the string that matches that location in the string. Everything without the brackets is evaluated as a fixed
string on both the evaluation side and the rewrite side of the rule.
side but instead added with the string that matches that location in the string. Everything without the brackets is evaluated as a fixed
string on both the evaluation side and the rewrite side of the rule.
The following are some examples of identity rewrite, considering that the identity entered by the user is ACME\jdoe:
• If identity matches ACME\[IDENTITY], rewrite as [IDENTITY].
The result would be jdoe. This rule instructs Cisco ISE to strip all usernames with the ACME prefix.
• If the identity matches ACME\[IDENTITY], rewrite as [IDENTITY]@ACME.com.
The result would be jdoe@ACME.com. This rule instructs Cisco ISE to change the format from prefix for suffix notation or
from NetBIOS format to UPN formats.
from NetBIOS format to UPN formats.
• If the identity matches ACME\[IDENTITY], rewrite as ACME2\[IDENTITY].
The result would be ACME2\jdoe. This rule instructs Cisco ISE to change all usernames with a certain prefix to an alternate
prefix.
prefix.
• If the identity matches [ACME]\jdoe.USA, rewrite as [IDENTITY]@[ACME].com.
The result would be jdoe\ACME.com. This rule instructs Cisco ISE to strip the realm after the dot, in this case the country and
replace it with the correct domain.
replace it with the correct domain.
• If the identity matches E=[IDENTITY], rewrite as [IDENTITY].
The result would be jdoe. This is an example rule that can be created when an identity is from a certificate, the field is an email
address, and Active Directory is configured to search by Subject. This rule instructs Cisco ISE to remove ‘E=’.
address, and Active Directory is configured to search by Subject. This rule instructs Cisco ISE to remove ‘E=’.
• If the identity matches E=[EMAIL],[DN], rewrite as [DN].
This rule will convert certificate subject from E=jdoe@acme.com, CN=jdoe, DC=acme, DC=com to pure DN, CN=jdoe,
DC=acme, DC=com. This is an example rule that can be created when identity is taken from a certificate subject and Active
Directory is configured to search user by DN . This rule instructs Cisco ISE to strip email prefix and generate DN.
DC=acme, DC=com. This is an example rule that can be created when identity is taken from a certificate subject and Active
Directory is configured to search user by DN . This rule instructs Cisco ISE to strip email prefix and generate DN.
The following are some common mistakes while writing the identity rewrite rules:
• If the identity matches [DOMAIN]\[IDENTITY], rewrite as [IDENTITY]@DOMAIN.com.
The result would be jdoe@DOMAIN.com. This rule does not have [DOMAIN] in square brackets [ ] on the rewrite side of the
rule.
rule.
• If the identity matches DOMAIN\[IDENTITY], rewrite as [IDENTITY]@[DOMAIN].com.
Here again, the result would be jdoe@DOMAIN.com. This rule does not have [DOMAIN] in square brackets [ ] on the evaluation
side of the rule.
side of the rule.
Identity rewrite rules are always applied within the context of an Active Directory join point. Even if a scope is selected as the result
of an authentication policy, the rewrite rules are applied for each Active Directory join point. These rewrite rules also applies for
identities taken from certificates if EAP-TLS is being used.
of an authentication policy, the rewrite rules are applied for each Active Directory join point. These rewrite rules also applies for
identities taken from certificates if EAP-TLS is being used.
Enable Identity Rewrite
This configuration task is optional. You can perform it to reduce authentication failures that can arise
because of various reasons such as ambiguous identity errors.
because of various reasons such as ambiguous identity errors.
Note
18