https://community.cisco.com/t5/network-access-control/ise-machine-based-dot1x-authentication-not-working/m-p/1809655#M241537 <HTML><HEAD></HEAD><BODY><P>Are you using the option "<LABEL for="certificateAuthAllowedAsUserName"> Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory " in your profile?</LABEL></P><P></P><P>You will have to create an LDAP instance to make this work, after you configure the ldap instance then you can go to Directory Organization &gt; select "Strip start of subject name up to the last occurrence of the separator" and change the default to \.</P><P></P><P>thanks,</P><P>Tarik Admani</P></BODY></HTML> Fri, 16 Dec 2011 05:25:35 GMT Tarik Admani 2011-12-16T05:25:35Z https://community.cisco.com/t5/network-access-control/ise-machine-based-dot1x-authentication-not-working/m-p/1809654#M241527 <P>Hi there,</P><P>I'm currently trying out dot1x authentication with MDA. The phone is currently authenticated via MAB. I succeeded to do the same with a Win7 workstation, but now I have a problem with true dot1x auth. Whenever the client tries to authenticate to the ISE it is using the notorious "host/" prefix. I read in the ACS 5.2 user guide that there is an option to crop it. I tried to find the same feature in the ISE, but it seems there is none.</P><P>I have the authentication policy configured to use a certificate authentication profile as identity source when the method is dot1x without any additional conditions.</P><P>In this profile I tried several options, including the common name, subject, subject alternative name. Nothing helped.</P><P></P><P>Does anybody have a tip on how to solve this? </P><P></P><P>Thanks in advance</P> Mon, 11 Mar 2019 01:38:12 GMT https://community.cisco.com/t5/network-access-control/ise-machine-based-dot1x-authentication-not-working/m-p/1809654#M241527 patrick.kofler 2019-03-11T01:38:12Z https://community.cisco.com/t5/network-access-control/ise-machine-based-dot1x-authentication-not-working/m-p/1809655#M241537 <HTML><HEAD></HEAD><BODY><P>Are you using the option "<LABEL for="certificateAuthAllowedAsUserName"> Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory " in your profile?</LABEL></P><P></P><P>You will have to create an LDAP instance to make this work, after you configure the ldap instance then you can go to Directory Organization &gt; select "Strip start of subject name up to the last occurrence of the separator" and change the default to \.</P><P></P><P>thanks,</P><P>Tarik Admani</P></BODY></HTML> Fri, 16 Dec 2011 05:25:35 GMT https://community.cisco.com/t5/network-access-control/ise-machine-based-dot1x-authentication-not-working/m-p/1809655#M241537 Tarik Admani 2011-12-16T05:25:35Z https://community.cisco.com/t5/network-access-control/ise-machine-based-dot1x-authentication-not-working/m-p/1809656#M241553 <HTML><HEAD></HEAD><BODY><P>If I understood correctly I don't need to create an external identity source when using the Certificate Authentication Profile feature.</P><P></P><P>This is what I got from the documentation:</P><P></P><P><SPAN style="text-decoration: underline;"><EM>"Certificate authentication profiles are used in&nbsp; authentication policies for certificate-based authentications in place&nbsp; of identity sources to verify the authenticity of the user."</EM></SPAN></P><P></P><P>I intend to use machine based authentication without contacting an external identity source.</P><P>I also ensured the root CA certificate is selected to be used for EAP-TLS authentication.</P><P></P><P>This brings me to another question.</P><P>If the CA issuing machine or user certificates is itself an intermediate CA do I have to install a chained certificate (intermediade CA+root CA) in the ISE or both CA certificates separately?</P><P></P><P>Thanks in advance</P><P></P><P>Regards,</P><P>Patrick</P></BODY></HTML> Fri, 16 Dec 2011 08:30:55 GMT https://community.cisco.com/t5/network-access-control/ise-machine-based-dot1x-authentication-not-working/m-p/1809656#M241553 patrick.kofler 2011-12-16T08:30:55Z