cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2628
Views
0
Helpful
7
Replies

ACS 5.3 and Machine Authentication

pblume
Level 1
Level 1

I am using ACS 5.3. I have succesfully configured Machine Authentication for a Windows 7 laptop using EAP-TLS. The ACS is configured with an Active Directory external identity store where the Windows 7 laptop is configured as part of the domain. I'm pretty sure that the ACS was using the AD to authenticate the laptop's name because at first the authentications were failing because I had the Certificate Authentication Profile configured to look at an attribute in the client certificate that was empty. When I fixed that, the authentication suceeded.

I started doing some failure testing so I disconnected the Domain Controller from the network. Sure enough, the ACS shows the Active Directory external store is in the Disconnected State.

I then went to my Windows 7 laptop and disconnected the wireless connection and connected it again, expecting it to fail because the AD is down. But it succeeded! My Win 7 laptop is accessing the network wirelessly through a Lightweight AP and 5508 WLC. The WLAN Session Timeout was set for 30 minutes. So even with the AD disconnected, every 30 minutes, the ACS log showed a successful EAP-TLS authentication. I then changed the WLAN Session Timeout to 2 hours 10 minutes. Same thing, every 2 hours 10 minutes, a succesfull EAP-TLS authentication.   

I really don't know how the authentications are succeeding when the AD is not even connected. Is there a cache in the ACS?

Anybody have any ideas?

Thanks             

7 Replies 7

thomas1337
Level 1
Level 1

Hi pblume,

i can't find a link to which i refer to but it sounds like the Wireless LAN Controller is caching the Authentication data, not the ACS.

Thomas

Thomas,

Thanks for the reply. However, if the WLC was caching the authentication data, then I'm assuming that I would not see any authentications in ACS since the WLC is taking care of it. Also, the WLC Session Timeout is forcing the laptop to do a full re-authentication with the Radius server. So the re-authentication request is definitely getting to the ACS.

I've seen the behavior you're referring to with roaming and caching the encryption keys. But I don't think this is the same thing.

Thanks

In your certificate authentication profile, do you have the option to "Perform Binary Certificate Comparison..." checked. If you dont the ACS will authenticate client based on the certificate in the Trusted CA store, meaning that if the ACS has the root certificate installed and the client presents the cert signed by this CA then authentication will succed at the ACS and not with AD.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik,

OK, you are right. I enabled that option and saw the wireless client fail (finally)!

Unfortunately, when I activate the Domain Controller, I also fail authentication with the following issues from the ACS log:

Evaluating Identity Policy

15006  Matched Default Rule

24433  Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com

24435  Machine Groups retrieval from Active Directory succeeded

24100  Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.

24483  Failed to retrieve the machine certificate from Active Directory.

22049  Binary comparison of certificates failed

22057  The advanced option that is configured for a failed authentication request is used.

22061  The 'Reject' advanced option is configured in case of a failed authentication request.

12507  EAP-TLS authentication failed

11504  Prepared EAP-Failure

11003  Returned RADIUS Access-Reject Evaluating Identity Policy
15006  Matched Default Rule
24433  Looking up machine/host in Active Directory - xxxx.xxxx.xxxx.xxx.com
24435  Machine Groups retrieval from Active Directory succeeded
24100  Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.
24483  Failed to retrieve the machine certificate from Active Directory.
22049  Binary comparison of certificates failed
22057  The advanced option that is configured for a failed authentication request is used.
22061  The 'Reject' advanced option is configured in case of a failed authentication request.
12507  EAP-TLS authentication failed
11504  Prepared EAP-Failure
11003  Returned RADIUS Access-Reject

I know it's not a Cisco ACS issue, but would you know what I need to do to allow the laptop certificate to be retrieved from the Domain Controller? I can see the certificate in the Active Directory Certificate Services "Issued Certificates" folder.

Thanks

What functional level is your domain, and what version of windows are you using for certificate authority?

Sent from Cisco Technical Support iPad App

The domain functional level is Windows Server 2008 R2. The CA is on the same server.

Hi,

See if this gives you any luck:

http://technet.microsoft.com/en-us/library/cc730861%28v=ws.10%29

Thanks,

Tarik Admani
*Please rate helpful posts*

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: