Cisco Cisco Identity Services Engine 1.3
Identity rewrite rules are always applied within the context of an Active Directory join point. Even if a scope is selected as the result
of an authentication policy, the rewrite rules are applied for each Active Directory join point. These rewrite rules also applies for
identities taken from certificates if EAP-TLS is being used.
of an authentication policy, the rewrite rules are applied for each Active Directory join point. These rewrite rules also applies for
identities taken from certificates if EAP-TLS is being used.
Enable Identity Rewrite
This configuration task is optional. You can perform it to reduce authentication failures that can arise
because of various reasons such as ambiguous identity errors.
because of various reasons such as ambiguous identity errors.
Note
Before You Begin
You must join Cisco ISE to the Active Directory domain.
Procedure
Step 1
Choose Administration > Identity Management > External Identity Sources > Active Directory.
Step 2
Click the Advanced Settings tab.
Step 3
Under the Identity Rewrite section, choose whether you want to apply the rewrite rules to modify usernames.
Step 4
Enter the match conditions and the rewrite results. You can remove the default rule that appears and enter the rule according
to your requirement. Cisco ISE processes the policy in order, and the first condition that matches the request username is
applied. You can use the matching tokens (text contained in square brackets) to transfer elements of the original username
to the result. If none of the rules match, the identity name remains unchanged. You can click the Launch Test button to
preview the rewrite processing.
to your requirement. Cisco ISE processes the policy in order, and the first condition that matches the request username is
applied. You can use the matching tokens (text contained in square brackets) to transfer elements of the original username
to the result. If none of the rules match, the identity name remains unchanged. You can click the Launch Test button to
preview the rewrite processing.
Identity Resolution Settings
Some type of identities include a domain markup, such as a prefix or a suffix. For example, in a NetBIOS identity such as ACME\jdoe,
“ACME” is the domain markup prefix, similarly in a UPN identity such as jdoe@acme.com, “acme.com” is the domain markup suffix.
Domain prefix should match to the NetBIOS (NTLM) name of the Active Directory domain in your organization and domain suffix
should match to the DNS name of Active Directory domain or to the alternative UPN suffix in your organization. For example
jdoe@gmail.com is treated as without domain markup because gmail.com is not a DNS name of Active Directory domain.
“ACME” is the domain markup prefix, similarly in a UPN identity such as jdoe@acme.com, “acme.com” is the domain markup suffix.
Domain prefix should match to the NetBIOS (NTLM) name of the Active Directory domain in your organization and domain suffix
should match to the DNS name of Active Directory domain or to the alternative UPN suffix in your organization. For example
jdoe@gmail.com is treated as without domain markup because gmail.com is not a DNS name of Active Directory domain.
The identity resolution settings allows you to configure important settings to tune the security and performance balance to match
your Active Directory deployment. You can use these settings to tune authentications for usernames and hostnames without domain
markup. In cases when Cisco ISE is not aware of the user's domain, it can be configured to search the user in all the authentication
domains. Even if the user is found in one domain, Cisco ISE will wait for all responses in order to ensure that there is no identity
ambiguity. This might be a lengthy process, subject to the number of domains, latency in the network, load, and so on.
your Active Directory deployment. You can use these settings to tune authentications for usernames and hostnames without domain
markup. In cases when Cisco ISE is not aware of the user's domain, it can be configured to search the user in all the authentication
domains. Even if the user is found in one domain, Cisco ISE will wait for all responses in order to ensure that there is no identity
ambiguity. This might be a lengthy process, subject to the number of domains, latency in the network, load, and so on.
Avoid Identity Resolution Issues
It is highly recommended to use fully qualified names (that is, names with domain markup) for users and hosts during authentication.
For example, UPNs and NetBIOS names for users and FQDN SPNs for hosts. This is especially important if you hit ambiguity errors
frequently, such as, several Active Directory accounts match to the incoming username; for example, jdoe matches to
jdoe@emea.acme.com and jdoe@amer.acme.com. In some cases, using fully qualified names is the only way to resolve issue. In
For example, UPNs and NetBIOS names for users and FQDN SPNs for hosts. This is especially important if you hit ambiguity errors
frequently, such as, several Active Directory accounts match to the incoming username; for example, jdoe matches to
jdoe@emea.acme.com and jdoe@amer.acme.com. In some cases, using fully qualified names is the only way to resolve issue. In
19