Cisco Cisco Identity Services Engine 1.3
Identity Rewrite
Identity rewrite is an advanced feature that directs Cisco ISE to manipulate the identity before it is passed to the external Active
Directory system. You can create rules to change the identity to a desired format that includes or excludes a domain prefix and/or
suffix or other additional markup of your choice.
Directory system. You can create rules to change the identity to a desired format that includes or excludes a domain prefix and/or
suffix or other additional markup of your choice.
Identity rewrite rules are applied on the username or hostname received from the client, before being passed to Active Directory, for
operations such as subject searches, authentication, and authorization queries. Cisco ISE will match the condition tokens and when
the first one matches, Cisco ISE stops processing the policy and rewrites the identity string according to the result.
operations such as subject searches, authentication, and authorization queries. Cisco ISE will match the condition tokens and when
the first one matches, Cisco ISE stops processing the policy and rewrites the identity string according to the result.
During the rewrite, everything enclosed in square bracket [ ] (such as [IDENTITY]) is a variable that is not evaluated on the evaluation
side but instead added with the string that matches that location in the string. Everything without the brackets is evaluated as a fixed
string on both the evaluation side and the rewrite side of the rule.
side but instead added with the string that matches that location in the string. Everything without the brackets is evaluated as a fixed
string on both the evaluation side and the rewrite side of the rule.
The following are some examples of identity rewrite, considering that the identity entered by the user is ACME\jdoe:
• If identity matches ACME\[IDENTITY], rewrite as [IDENTITY].
The result would be jdoe. This rule instructs Cisco ISE to strip all usernames with the ACME prefix.
• If the identity matches ACME\[IDENTITY], rewrite as [IDENTITY]@ACME.com.
The result would be jdoe@ACME.com. This rule instructs Cisco ISE to change the format from prefix for suffix notation or
from NetBIOS format to UPN formats.
from NetBIOS format to UPN formats.
• If the identity matches ACME\[IDENTITY], rewrite as ACME2\[IDENTITY].
The result would be ACME2\jdoe. This rule instructs Cisco ISE to change all usernames with a certain prefix to an alternate
prefix.
prefix.
• If the identity matches [ACME]\jdoe.USA, rewrite as [IDENTITY]@[ACME].com.
The result would be jdoe\ACME.com. This rule instructs Cisco ISE to strip the realm after the dot, in this case the country and
replace it with the correct domain.
replace it with the correct domain.
• If the identity matches E=[IDENTITY], rewrite as [IDENTITY].
The result would be jdoe. This is an example rule that can be created when an identity is from a certificate, the field is an email
address, and Active Directory is configured to search by Subject. This rule instructs Cisco ISE to remove ‘E=’.
address, and Active Directory is configured to search by Subject. This rule instructs Cisco ISE to remove ‘E=’.
• If the identity matches E=[EMAIL],[DN], rewrite as [DN].
This rule will convert certificate subject from E=jdoe@acme.com, CN=jdoe, DC=acme, DC=com to pure DN, CN=jdoe,
DC=acme, DC=com. This is an example rule that can be created when identity is taken from a certificate subject and Active
Directory is configured to search user by DN . This rule instructs Cisco ISE to strip email prefix and generate DN.
DC=acme, DC=com. This is an example rule that can be created when identity is taken from a certificate subject and Active
Directory is configured to search user by DN . This rule instructs Cisco ISE to strip email prefix and generate DN.
The following are some common mistakes while writing the identity rewrite rules:
• If the identity matches [DOMAIN]\[IDENTITY], rewrite as [IDENTITY]@DOMAIN.com.
The result would be jdoe@DOMAIN.com. This rule does not have [DOMAIN] in square brackets [ ] on the rewrite side of the
rule.
rule.
• If the identity matches DOMAIN\[IDENTITY], rewrite as [IDENTITY]@[DOMAIN].com.
Here again, the result would be jdoe@DOMAIN.com. This rule does not have [DOMAIN] in square brackets [ ] on the evaluation
side of the rule.
side of the rule.
18