Cisco Cisco Identity Services Engine 1.3
Active Directory User Authentication Process Flow
When authenticating or querying a user, Cisco ISE checks the following:
• MS-CHAP and PAP authentications check if the user is disabled, locked out, expired or out of logon hours and the authentication
fails if some of these conditions are true.
• EAP-TLS authentications checks if the user is disabled or locked out and the authentication fails if some of these conditions is
met.
Additionally, you can can set the IdentityAccessRestricted attribute if conditions mentioned above (for example, user disabled) are
met. IdentityAccessRestricted attribute is set in order to support legacy policies and is not required in Cisco ISE because authentication
fails if such conditions (for example, user disabled) are met.
met. IdentityAccessRestricted attribute is set in order to support legacy policies and is not required in Cisco ISE because authentication
fails if such conditions (for example, user disabled) are met.
Supported Username Formats
The following are the supported username types:
• SAM, for example: jdoe
• NetBIOS prefixed SAM, for example: ACME\jdoe
• UPN, for example: jdoe@acme.com
• Alt UPN, for example: john.doe@acme.co.uk
• Subtree, for example: johndoe@finance.acme.com
• SAM machine, for example: laptop$
• NetBIOS prefixed machine, for example: ACME\laptop$
• FQDN DNS machine, for example: host/laptop.acme.com
• Hostname only machine, for example: host/laptop
Active Directory Password-Based Authentication
Password Authentication Protocol (PAP) and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) are password-based
protocols. MS-CHAP credentials can be authenticated only by MS-RPC. Cisco ISE provides two options for PAP authentication -
MS-RPC and Kerberos. Both MS-RPC and Kerberos are equally secure options. MS-RPC for PAP authentication is a default and
recommended option because:
protocols. MS-CHAP credentials can be authenticated only by MS-RPC. Cisco ISE provides two options for PAP authentication -
MS-RPC and Kerberos. Both MS-RPC and Kerberos are equally secure options. MS-RPC for PAP authentication is a default and
recommended option because:
• It provides consistency with MS-CHAP
• It provides more clear error reporting
• It allows more efficient communication with Active Directory. In case of MS-RPC, Cisco ISE sends authentication requests to
a domain controller from the joined domain only and the domain controller handles the request.
In case of Kerberos, Cisco ISE needs to follow Kerberos referrals from the joined domain to the user's account domain (that is, Cisco
ISE needs to communicate with all domains on the trust path from the joined domain to the user's account domain).
ISE needs to communicate with all domains on the trust path from the joined domain to the user's account domain).
Cisco ISE examines the username format and calls the domain manager to locate the appropriate connection. After the domain
controller for the account domain is located, Cisco ISE tries to authenticate the user against it. If the password matches, the user is
granted access to the network.
controller for the account domain is located, Cisco ISE tries to authenticate the user against it. If the password matches, the user is
granted access to the network.
14