https://community.cisco.com/t5/network-access-control/acs-5-2-certificate-issue/m-p/1727199#M247855 <HTML><HEAD></HEAD><BODY><P>Lieven,</P><P></P><P>What does the CN value appear in the client machine that you are testing with, does it show the correct username format that you are looking for?</P><P></P><P>You can create a snap in using the mmc tool and then point it to your certificates. Then under the user's personal certificate store see what certificate is being passed to the ACS. </P><P></P><P>If the username attribute is stored else (Subject Alternative Name) please make the changes on the ACS and see if that moves things along.</P><P></P><P>Thanks,</P><P>Tarik</P></BODY></HTML> Wed, 06 Jul 2011 05:45:20 GMT Tarik Admani 2011-07-06T05:45:20Z https://community.cisco.com/t5/network-access-control/acs-5-2-certificate-issue/m-p/1727198#M247853 <P>dear,</P><P></P><P>We are encountering a certificate issue when a pc tries to log on using dot1x (eap-tls).</P><P><A href="https://hictatriuse031v/avreports/servlet/GenericRedirector?command=submit&amp;__requesttype=immediate&amp;invokeSubmit=true&amp;__executableName=%2Fhome%2Facsadmin%2FFailure_Reason%2FAuthentication_Failure_Code_Lookup.rptdesign&amp;rptFailureReason=22047+Principal+username+attribute+is+missing+in+client+certificate&amp;__locale=en_US&amp;iportalID=TKNENRBYE&amp;__masterpage=false&amp;__newWindow=false" target="_self" title="Click for failure reason details">22047 Principal username attribute is missing in client certificate</A></P><P></P><P>We define in "certificate authentication profile" a profile using the subject</P><P>of the certificate as the user principle. Why does ACS keep saying that </P><P>the user principle attribute is empty ?</P><P></P><P>Note : We do not have this problem using ACS 4.1</P><P></P><P>Many thanks,</P><P>Lieven Stubbe</P><P>Belgian Railways</P> Mon, 11 Mar 2019 01:11:29 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-certificate-issue/m-p/1727198#M247853 lni1 2019-03-11T01:11:29Z https://community.cisco.com/t5/network-access-control/acs-5-2-certificate-issue/m-p/1727199#M247855 <HTML><HEAD></HEAD><BODY><P>Lieven,</P><P></P><P>What does the CN value appear in the client machine that you are testing with, does it show the correct username format that you are looking for?</P><P></P><P>You can create a snap in using the mmc tool and then point it to your certificates. Then under the user's personal certificate store see what certificate is being passed to the ACS. </P><P></P><P>If the username attribute is stored else (Subject Alternative Name) please make the changes on the ACS and see if that moves things along.</P><P></P><P>Thanks,</P><P>Tarik</P></BODY></HTML> Wed, 06 Jul 2011 05:45:20 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-certificate-issue/m-p/1727199#M247855 Tarik Admani 2011-07-06T05:45:20Z https://community.cisco.com/t5/network-access-control/acs-5-2-certificate-issue/m-p/1727200#M247857 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>We have been testing wireless telephony with Ascom i62 wireless handsets using EAP-TLS. Initial dot1x authentication is successful. Reauthentication sometimes fail on Cisco ACS Version 5.2.0.26.5</P><P></P><P>The same error mesage was displayed.</P><P><A href="https://hictatriuse031v/avreports/servlet/GenericRedirector?command=submit&amp;__requesttype=immediate&amp;invokeSubmit=true&amp;__executableName=%2Fhome%2Facsadmin%2FFailure_Reason%2FAuthentication_Failure_Code_Lookup.rptdesign&amp;rptFailureReason=22047+Principal+username+attribute+is+missing+in+client+certificate&amp;__locale=en_US&amp;iportalID=TKNENRBYE&amp;__masterpage=false&amp;__newWindow=false" target="_self">22047 Principal username attribute is missing in client certificate</A></P><P>Only rebooting the phone fixes this issue.</P><P></P><P>Are we hitting bug CSCtn26538 ?</P><P><A href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCtn26538&amp;from=summary">http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCtn26538&amp;from=summary</A></P><P></P><P>Best regards,</P><P>Peter</P></BODY></HTML> Wed, 21 Sep 2011 12:05:08 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-certificate-issue/m-p/1727200#M247857 pverstegen 2011-09-21T12:05:08Z https://community.cisco.com/t5/network-access-control/acs-5-2-certificate-issue/m-p/1727201#M247859 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I got similar problem.</P><P></P><P>In Identity source, I use an identity store sequence:</P><UL><LI>Certificate based (using Principal Username X509 Attribute: Common Name)</LI><LI>Attribute retrieval search list: LDAP server</LI></UL><P></P><P>I use machine certificate...</P><P><IMG __jive_id="74650" __jive_id="74650" alt="username.PNG" class="jive-image-thumbnail jive-image" height="31" src="https://community.cisco.com/username.PNG" width="657" /></P><P></P><P>Username is found in ACS View but I got the authentication error: </P><P><EM>22047 Principal username attribute is missing in client certificate</EM></P><P></P><P>Thanks for your help,</P><P></P><P>Patrick</P></BODY></HTML> Tue, 31 Jan 2012 10:31:53 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-certificate-issue/m-p/1727201#M247859 Patrick Tran 2012-01-31T10:31:53Z https://community.cisco.com/t5/network-access-control/acs-5-2-certificate-issue/m-p/1727202#M247861 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>have you been able to solve this problem, we have the same issue with ACS 5.4.0.46.2.</P><P></P><P>Regards</P><P>Dominic</P></BODY></HTML> Thu, 18 Apr 2013 13:32:42 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-certificate-issue/m-p/1727202#M247861 Dominic Stalder (old profile) 2013-04-18T13:32:42Z