Cisco Bug: CSCvu35802 - Shared email for AD users fail to retrieve groups,ISE shows multiple account found in forest
Oct 23, 2020
- Cisco Identity Services Engine
Known Affected Releases
2.4(0.912) 2.6(0.156) 2.6(0.905) 2.6(0.906) 2.6(0.907) 2.7(0.901)
Symptom: Multiple matching accounts in forest, authorization fails for AD user mapped to an AD group. ISE does an AD look up using email OR UPN as default. Multiple users in AD are shared a common email like "email@example.com" when any user login, ISE sends UPN and email, once AD searches using email address, it finds multiple accounts as many other AD users are also given the same email address. Authentication can also fail if the passwords are different in the two domains as there is ambiguity between which account is the valid account and one failed. Conditions: ISE 2.6 Patch 5, 2.4 Patch 12 or 2.7 Patch 1 and later. Any radius flow that uses AD groups in authorization policies. Two or more users have the same combination of UPN or email. For example user1 could have a UPN of firstname.lastname@example.org and user2 could have an email of email@example.com and run into this issue. A common scenario where this might exist is: user1 is in 1 domain and user2 is in another domain in the same forest.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases