01-11-2019 12:54 AM
I am trying configure 7945 use MIC certificates to authenticate in ISE. I have already reviewed the information in "ISE Secure Wired Access Prescriptive Deployment Guide", and it looks like everything is ready to work. However, the phone keeps failing over to MAB.
When I look at the live logs details, here is what I see:
12816 | TLS handshake succeeded | |
12509 | EAP-TLS full handshake finished successfully | |
12505 | Prepared EAP-Request with another EAP-TLS challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
12504 | Extracted EAP-Response containing EAP-TLS challenge-response | |
61025 | Open secure connection with TLS peer | |
15041 | Evaluating Identity Policy | |
22072 | Selected identity source sequence - AD_Then_Local_Then_Guest | |
22070 | Identity name is taken from certificate attribute | |
15013 | Selected Identity Source - plcmrjlab.local | |
24432 | Looking up user in Active Directory - plcmrjlab.local | |
24325 | Resolving identity - CP-7945G-SEP001D70FCE6F9 | |
24313 | Search for matching accounts at join point - plcmrjlab.local | |
24318 | No matching account found in forest - plcmrjlab.local | |
24322 | Identity resolution detected no matching account | |
24352 | Identity resolution failed - ERROR_NO_SUCH_USER | |
24412 | User not found in Active Directory - plcmrjlab.local | |
22056 | Subject not found in the applicable identity store(s) | |
22058 | The advanced option that is configured for an unknown user is used | |
22061 | The 'Reject' advanced option is configured in case of a failed authentication request | |
12507 | EAP-TLS authentication failed | |
11504 | Prepared EAP-Failure | |
11003 | Returned RADIUS Access-Reject |
I have a user configured in AD, but I am not trying to use that user. I am trying to use the local endpoint Identity store since the trusted MIC certs along with every other CUCM trust certs are there.
Do I need to configure a new authentication rule under the policy and somehow tell it to look only at the local endpoints. This is something I tried, but I get a different error indicating that there is conflict in the authentication request (Certificate vs password based).
Not even sure if my point is cleared enough to understand. Any help is appreciated. Thanks.
Solved! Go to Solution.
01-11-2019 05:06 PM
Hey Paul.
I was able to figure it out. Every suggestion on here was very useful.
I finally ran into what was causing the problem resulting on "Identity resolution failed - ERROR_NO_SUCH_USER".
The authorization profile. I was using the Subject - Common Name attribute under the Certificate icon for a condition instead of using the one under the User icon.
Lesson learned: Be sure to carefully follow instructions... :-) Thanks.
01-11-2019 01:14 AM
01-11-2019 11:05 AM
The screenshot didn't show up.
01-11-2019 11:28 AM - edited 01-11-2019 11:32 AM
It should look something like this. See how there is no ID store configured.
01-11-2019 02:36 PM
Hi Surendra,
could you please share your screenshot again when you get a chance? it didn't show up the first time.
01-11-2019 06:32 AM
Looks like you are using a certificate profile that is tied into AD. You need to create a certificate profile that is not checking AD for identity. Create one that either uses the Common Name or SAN field for identity but no AD check.
01-11-2019 11:00 AM
Thanks. I think I was moving in that direction at some point, but since I was clueless I didn't keep trying. I will try that again and see how it works. Thanks again.
01-11-2019 05:06 PM
Hey Paul.
I was able to figure it out. Every suggestion on here was very useful.
I finally ran into what was causing the problem resulting on "Identity resolution failed - ERROR_NO_SUCH_USER".
The authorization profile. I was using the Subject - Common Name attribute under the Certificate icon for a condition instead of using the one under the User icon.
Lesson learned: Be sure to carefully follow instructions... :-) Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide