Guest

Preview Tool

Cisco Bug: CSCvu35802 - Shared email for AD users fail to retrieve groups,ISE shows multiple account found in forest

Last Modified

Oct 23, 2020

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

2.4(0.912) 2.6(0.156) 2.6(0.905) 2.6(0.906) 2.6(0.907) 2.7(0.901)

Description (partial)

Symptom:
Multiple matching accounts in forest, authorization fails for AD user mapped to an AD group. ISE does an AD look up using email OR UPN as default. Multiple users in AD are shared a common email like "securityteam@xyx.com" when any user login, ISE sends UPN and email, once AD searches using email address, it finds multiple accounts as many other AD users are also given the same email address.

Authentication can also fail if the passwords are different in the two domains as there is ambiguity between which account is the valid account and one failed.

Conditions:
ISE 2.6 Patch 5, 2.4 Patch 12 or 2.7 Patch 1 and later.
Any radius flow that uses AD groups in authorization policies.
Two or more users have the same combination of UPN or email.

For example user1 could have a UPN of user1@domain.com and user2 could have an email of user1@domain.com and run into this issue.
A common scenario where this might exist is: user1 is in 1 domain and user2 is in another domain in the same forest.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.