Cisco Cisco Identity Services Engine 1.3
Resolving SAM Names
• If the identity is a SAM name (username or machine name without any domain markup), Cisco ISE searchs the forest of each
join point (once) looking for the identity. If there is a unique match, Cisco ISE determines its domain or the unique name and
proceeds with the AAA flow.
proceeds with the AAA flow.
• If the SAM name is not unique and Cisco ISE is configured to use a passwordless protocol such as EAP-TLS, there are no other
criteria to locate the right user, so Cisco ISE fails the authentication with an “Ambiguous Identity” error. However, if the user
certificate is present in Active Directory, Cisco ISE uses binary comparison to resolve the identity.
certificate is present in Active Directory, Cisco ISE uses binary comparison to resolve the identity.
• If Cisco ISE is configured to use a password-based protocol such as PAP, or MSCHAP, Cisco ISE continues to check the
passwords. If there is a unique match, Cisco ISE proceeds with the AAA flow. However, if there is more than one account with
the same password, Cisco ISE fails the authentication with an “Ambiguous Identity” error.
the same password, Cisco ISE fails the authentication with an “Ambiguous Identity” error.
You should avoid username collisions. This not only increases efficiency and security but also prevents accounts from being locked
out. For example, there exist two “chris” with different passwords and Cisco ISE receives only the SAM name“chris”. In this scenario,
Cisco ISE will keep trying both accounts with SAM name “chris,” before deciding the correct one. In such cases, Active Directory
can lock out one of the accounts due to incorrect password attempts. Therefore, you should try to use unique usernames or ones with
domain markup. Alternatively, you can use identity rewrite to qualify SAM names if you use specific network devices for each Active
Directory domain.
out. For example, there exist two “chris” with different passwords and Cisco ISE receives only the SAM name“chris”. In this scenario,
Cisco ISE will keep trying both accounts with SAM name “chris,” before deciding the correct one. In such cases, Active Directory
can lock out one of the accounts due to incorrect password attempts. Therefore, you should try to use unique usernames or ones with
domain markup. Alternatively, you can use identity rewrite to qualify SAM names if you use specific network devices for each Active
Directory domain.
Resolving UPNs
• If the identity is a UPN, Cisco ISE searches each forest’s global catalogs looking for a match to that UPN identity. If there is a
unique match, Cisco ISE proceeds with the AAA flow. If there are multiple join points with the same UPN and a password was
not supplied or does not help in determining the right account, Cisco ISE fails the authentication with an “Ambiguous Identity”
error.
not supplied or does not help in determining the right account, Cisco ISE fails the authentication with an “Ambiguous Identity”
error.
• Cisco ISE also permits an identity that appears to be a UPN to also match the user’s mail attribute, that is, it searches for
“identity=matching UPN or email”. Some users log in with their email name (often via a certificate) and not a real underlying
UPN. This is implicitly done if the identity looks like an email address.
UPN. This is implicitly done if the identity looks like an email address.
Resolving Machine Identities
• If it is a machine authentication, with the identity having a host/prefix, Cisco ISE searches the forest for a matching
servicePrincipalName attribute. If a fully-qualified domain suffix was specified in the identity, for example
host/machine.domain.com, Cisco ISE searches the forest where that domain exists. If the identity is in the form of host/machine,
Cisco ISE searches all forests for the service principal name. If there is more than one match, Cisco ISE fails the authentication
with an “Ambiguous Identity” error.
host/machine.domain.com, Cisco ISE searches the forest where that domain exists. If the identity is in the form of host/machine,
Cisco ISE searches all forests for the service principal name. If there is more than one match, Cisco ISE fails the authentication
with an “Ambiguous Identity” error.
• If the machine is in another identity format, for example machine@domain.com, ACME\laptop$ or laptop$, Cisco ISE uses the
normal UPN, NetBIOS or SAM resolution algorithm.
Resolving NetBIOS Identities
If the identity has a NetBIOS domain prefix, for example ACME\jdoe, Cisco ISE searches the forests for the NetBIOS domain. Once
found, it then looks for the supplied SAM name (“jdoe” in this example) in the located domain. NetBIOS domains are not necessarily
unique, even in one forest, so the search may find multiple NetBIOS domains with the same name. If this occurs, and a password
was supplied, it is used to locate the right identity. If there is still ambiguity or no password was supplied, Cisco ISE fails the
authentication with an “Ambiguous Identity” error.
found, it then looks for the supplied SAM name (“jdoe” in this example) in the located domain. NetBIOS domains are not necessarily
unique, even in one forest, so the search may find multiple NetBIOS domains with the same name. If this occurs, and a password
was supplied, it is used to locate the right identity. If there is still ambiguity or no password was supplied, Cisco ISE fails the
authentication with an “Ambiguous Identity” error.
29