06-28-2011 04:38 AM - edited 03-10-2019 06:11 PM
dear,
We are encountering a certificate issue when a pc tries to log on using dot1x (eap-tls).
22047 Principal username attribute is missing in client certificate
We define in "certificate authentication profile" a profile using the subject
of the certificate as the user principle. Why does ACS keep saying that
the user principle attribute is empty ?
Note : We do not have this problem using ACS 4.1
Many thanks,
Lieven Stubbe
Belgian Railways
07-05-2011 10:45 PM
Lieven,
What does the CN value appear in the client machine that you are testing with, does it show the correct username format that you are looking for?
You can create a snap in using the mmc tool and then point it to your certificates. Then under the user's personal certificate store see what certificate is being passed to the ACS.
If the username attribute is stored else (Subject Alternative Name) please make the changes on the ACS and see if that moves things along.
Thanks,
Tarik
09-21-2011 05:05 AM
Hi,
We have been testing wireless telephony with Ascom i62 wireless handsets using EAP-TLS. Initial dot1x authentication is successful. Reauthentication sometimes fail on Cisco ACS Version 5.2.0.26.5
The same error mesage was displayed.
22047 Principal username attribute is missing in client certificate
Only rebooting the phone fixes this issue.
Are we hitting bug CSCtn26538 ?
Best regards,
Peter
01-31-2012 02:31 AM
Hi,
I got similar problem.
In Identity source, I use an identity store sequence:
I use machine certificate...
Username is found in ACS View but I got the authentication error:
22047 Principal username attribute is missing in client certificate
Thanks for your help,
Patrick
04-18-2013 06:32 AM
Hi
have you been able to solve this problem, we have the same issue with ACS 5.4.0.46.2.
Regards
Dominic
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide