cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1996
Views
0
Helpful
7
Replies
Highlighted
Beginner

ACS 5.3 and Machine Authentication

I am using ACS 5.3. I have succesfully configured Machine Authentication for a Windows 7 laptop using EAP-TLS. The ACS is configured with an Active Directory external identity store where the Windows 7 laptop is configured as part of the domain. I'm pretty sure that the ACS was using the AD to authenticate the laptop's name because at first the authentications were failing because I had the Certificate Authentication Profile configured to look at an attribute in the client certificate that was empty. When I fixed that, the authentication suceeded.

I started doing some failure testing so I disconnected the Domain Controller from the network. Sure enough, the ACS shows the Active Directory external store is in the Disconnected State.

I then went to my Windows 7 laptop and disconnected the wireless connection and connected it again, expecting it to fail because the AD is down. But it succeeded! My Win 7 laptop is accessing the network wirelessly through a Lightweight AP and 5508 WLC. The WLAN Session Timeout was set for 30 minutes. So even with the AD disconnected, every 30 minutes, the ACS log showed a successful EAP-TLS authentication. I then changed the WLAN Session Timeout to 2 hours 10 minutes. Same thing, every 2 hours 10 minutes, a succesfull EAP-TLS authentication.   

I really don't know how the authentications are succeeding when the AD is not even connected. Is there a cache in the ACS?

Anybody have any ideas?

Thanks             

7 REPLIES 7
Highlighted
Beginner

Hi pblume,

i can't find a link to which i refer to but it sounds like the Wireless LAN Controller is caching the Authentication data, not the ACS.

Thomas

Highlighted

Thomas,

Thanks for the reply. However, if the WLC was caching the authentication data, then I'm assuming that I would not see any authentications in ACS since the WLC is taking care of it. Also, the WLC Session Timeout is forcing the laptop to do a full re-authentication with the Radius server. So the re-authentication request is definitely getting to the ACS.

I've seen the behavior you're referring to with roaming and caching the encryption keys. But I don't think this is the same thing.

Thanks

Highlighted

In your certificate authentication profile, do you have the option to "Perform Binary Certificate Comparison..." checked. If you dont the ACS will authenticate client based on the certificate in the Trusted CA store, meaning that if the ACS has the root certificate installed and the client presents the cert signed by this CA then authentication will succed at the ACS and not with AD.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Highlighted

Tarik,

OK, you are right. I enabled that option and saw the wireless client fail (finally)!

Unfortunately, when I activate the Domain Controller, I also fail authentication with the following issues from the ACS log:

Evaluating Identity Policy

15006  Matched Default Rule

24433  Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com

24435  Machine Groups retrieval from Active Directory succeeded

24100  Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.

24483  Failed to retrieve the machine certificate from Active Directory.

22049  Binary comparison of certificates failed

22057  The advanced option that is configured for a failed authentication request is used.

22061  The 'Reject' advanced option is configured in case of a failed authentication request.

12507  EAP-TLS authentication failed

11504  Prepared EAP-Failure

11003  Returned RADIUS Access-Reject Evaluating Identity Policy
15006  Matched Default Rule
24433  Looking up machine/host in Active Directory - xxxx.xxxx.xxxx.xxx.com
24435  Machine Groups retrieval from Active Directory succeeded
24100  Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.
24483  Failed to retrieve the machine certificate from Active Directory.
22049  Binary comparison of certificates failed
22057  The advanced option that is configured for a failed authentication request is used.
22061  The 'Reject' advanced option is configured in case of a failed authentication request.
12507  EAP-TLS authentication failed
11504  Prepared EAP-Failure
11003  Returned RADIUS Access-Reject

I know it's not a Cisco ACS issue, but would you know what I need to do to allow the laptop certificate to be retrieved from the Domain Controller? I can see the certificate in the Active Directory Certificate Services "Issued Certificates" folder.

Thanks

Highlighted

What functional level is your domain, and what version of windows are you using for certificate authority?

Sent from Cisco Technical Support iPad App

Tarik Admani
*Please rate helpful posts*
Highlighted

The domain functional level is Windows Server 2008 R2. The CA is on the same server.

Highlighted

Hi,

See if this gives you any luck:

http://technet.microsoft.com/en-us/library/cc730861%28v=ws.10%29

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Content for Community-Ad