cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5819
Views
0
Helpful
4
Replies

ACS 5.2 certificate issue

lni1
Level 1
Level 1

dear,

We are encountering a certificate issue when a pc tries to log on using dot1x (eap-tls).

22047 Principal username attribute is missing in client certificate

We define in "certificate authentication profile" a profile using the subject

of the certificate as the user principle. Why does ACS keep saying that

the user principle attribute is empty ?

Note : We do not have this problem using ACS 4.1

Many thanks,

Lieven Stubbe

Belgian Railways

4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

Lieven,

What does the CN value appear in the client machine that you are testing with, does it show the correct username format that you are looking for?

You can create a snap in using the mmc tool and then point it to your certificates. Then under the user's personal certificate store see what certificate is being passed to the ACS.

If the username attribute is stored else (Subject Alternative Name) please make the changes on the ACS and see if that moves things along.

Thanks,

Tarik

pverstegen
Level 1
Level 1

Hi,

We have been testing wireless telephony with Ascom i62 wireless handsets using EAP-TLS. Initial dot1x authentication is successful. Reauthentication sometimes fail on Cisco ACS Version 5.2.0.26.5

The same error mesage was displayed.

22047 Principal username attribute is missing in client certificate

Only rebooting the phone fixes this issue.

Are we hitting bug CSCtn26538 ?

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtn26538&from=summary

Best regards,

Peter

Hi,

I got similar problem.

In Identity source, I use an identity store sequence:

  • Certificate based (using Principal Username X509 Attribute: Common Name)
  • Attribute retrieval search list: LDAP server

I use machine certificate...

username.PNG

Username is found in ACS View but I got the authentication error:

22047 Principal username attribute is missing in client certificate

Thanks for your help,

Patrick

Hi

have you been able to solve this problem, we have the same issue with ACS 5.4.0.46.2.

Regards

Dominic