topic UPN username format fails using EAP-TLS in Network Access Control

UPN username format fails using EAP-TLS

Lucky8888 — Sun, 10 Mar 2019 22:58:17 GMT

We deployed ACS 4.0 (NOT ACS SE) and WLAN in our corporate network.

Our ultimate goal is to have each staff authenticated against our AD via ACS.

We managed to get PEAP working successfully, but failed with EAP-TLS.

From the log we noticed that when PEAP is used, ACS forward username to AD in domain-qualified format (domain\user),and authentication is successful.

When EAP-TLS is used, ACS forward username to AD in UPN format (user@domain), and ACS received "cannot get user account controler for user@domain" from windows database, authentication failed. Any workaround for this?

Can anyone throw some light here?

Thank you.

Lahki

Re: UPN username format fails using EAP-TLS

scadora — Mon, 14 Jul 2008 15:14:01 GMT

What supplicant are you using? If you can configure it to send the EAP outer-id in a different format (e.g. just "username" or even "anonymous"), then you should avoid this problem. Otherwise, you'll probably need to upgrade to ACS 4.2.

Shelly

Re: UPN username format fails using EAP-TLS

Lucky8888 — Tue, 15 Jul 2008 03:39:49 GMT

I am using Trapeze wirelesss gears.

Re: UPN username format fails using EAP-TLS

scadora — Tue, 15 Jul 2008 15:10:43 GMT

Okay, but your PC still has to have a supplicant. If there's no way to change the format of the EAP outer-id in your supplicant, you'll need to upgrade your ACS. If you have access to bug toolkit, look up CSCsk49811.

Shelly

Re: UPN username format fails using EAP-TLS

Lucky8888 — Tue, 15 Jul 2008 22:39:23 GMT

Not sure what you mean by supplicant.

All the laptops are running XP. Is it possible to change the outer-id for XP supplicant? How?

Thank you in advance.

Re: UPN username format fails using EAP-TLS

Lucky8888 — Sun, 20 Jul 2008 22:50:46 GMT

This is solved.

http://www.cisco.com/en/US/ts/fn/200/fn20228.html

Thanks,

Lahki