Cisco Cisco Identity Services Engine 1.3
others, it may be sufficient to guarantee that the users have unique passwords. So, it is more efficient and leads to less password
lockout issues if unique identities are used initially.
lockout issues if unique identities are used initially.
Configure Identity Resolution Settings
This configuration task is optional. You can perform it to reduce authentication failures that can arise
because of various reasons such as ambiguous identity errors.
because of various reasons such as ambiguous identity errors.
Note
Before You Begin
You must join Cisco ISE to the Active Directory domain.
Procedure
Step 1
Choose Administration > Identity Management > External Identity Sources > Active Directory.
Step 2
Click the Advanced Settings tab.
Step 3
Define the following settings for identity resolution for usernames or machine names under the Identity Resolution
section. This setting provides you advanced control for user search and authentication.
The first setting is for the identities without a markup. In such cases, you can select any of the following options:
section. This setting provides you advanced control for user search and authentication.
The first setting is for the identities without a markup. In such cases, you can select any of the following options:
• Reject the request—This option will fail the authentication for users who do not have any domain markups, such
as a SAM name. This is useful in case of multi join domains where Cisco ISE will have to look up for the identity
in all the joined global catalogs, which might not be very secure. This option forces the users to use names with
domain markups.
in all the joined global catalogs, which might not be very secure. This option forces the users to use names with
domain markups.
• Only search in the “Authentication Domains” from the joined forest—This option will search for the identity
only in the domains in the forest of the join point which are specified in the authentication domains section. This is
the default option and identical to Cisco ISE 1.2 behavior for SAM account names.
the default option and identical to Cisco ISE 1.2 behavior for SAM account names.
• Search in all the “Authentication Domains” sections—This option will search for the identity in all authentication
domains in all the trusted forests. This might increase latency and impact performance.
The selection is made based on how the authentication domains are configured in Cisco ISE. If only specific authentication
domains are selected, only those domains will be searched (for both “joined forest” or “all forests” selections).
domains are selected, only those domains will be searched (for both “joined forest” or “all forests” selections).
The second setting is used if Cisco ISE cannot communicate with all Global Catalogs (GCs) that it needs to in order to
comply with the configuration specified in the “Authentication Domains” section. In such cases, you can select any of the
following options:
comply with the configuration specified in the “Authentication Domains” section. In such cases, you can select any of the
following options:
• Proceed with available domains— This option will proceed with the authentication if it finds a match in any of the
available domains.
• Drop the request— This option will drop the authentication request if the identity resolution encounters some
unreachable or unavailable domain.
20