Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3074
Views
0
Helpful
7
Replies

ACS 5.3 and Machine Authentication

pblume
Level 1
Level 1

‎08-06-2012 10:03 AM - edited ‎03-10-2019 07:23 PM

I am using ACS 5.3. I have succesfully configured Machine Authentication for a Windows 7 laptop using EAP-TLS. The ACS is configured with an Active Directory external identity store where the Windows 7 laptop is configured as part of the domain. I'm pretty sure that the ACS was using the AD to authenticate the laptop's name because at first the authentications were failing because I had the Certificate Authentication Profile configured to look at an attribute in the client certificate that was empty. When I fixed that, the authentication suceeded.

I started doing some failure testing so I disconnected the Domain Controller from the network. Sure enough, the ACS shows the Active Directory external store is in the Disconnected State.

I then went to my Windows 7 laptop and disconnected the wireless connection and connected it again, expecting it to fail because the AD is down. But it succeeded! My Win 7 laptop is accessing the network wirelessly through a Lightweight AP and 5508 WLC. The WLAN Session Timeout was set for 30 minutes. So even with the AD disconnected, every 30 minutes, the ACS log showed a successful EAP-TLS authentication. I then changed the WLAN Session Timeout to 2 hours 10 minutes. Same thing, every 2 hours 10 minutes, a succesfull EAP-TLS authentication.   

I really don't know how the authentications are succeeding when the AD is not even connected. Is there a cache in the ACS?

Anybody have any ideas?

Thanks             

Labels:
0 Helpful
7 Replies 7

thomas1337
Level 1
Level 1

‎08-06-2012 11:07 AM

Hi pblume,

i can't find a link to which i refer to but it sounds like the Wireless LAN Controller is caching the Authentication data, not the ACS.

Thomas

0 Helpful

pblume
Level 1
Level 1
In response to thomas1337

‎08-06-2012 11:19 AM

Thomas,

Thanks for the reply. However, if the WLC was caching the authentication data, then I'm assuming that I would not see any authentications in ACS since the WLC is taking care of it. Also, the WLC Session Timeout is forcing the laptop to do a full re-authentication with the Radius server. So the re-authentication request is definitely getting to the ACS.

I've seen the behavior you're referring to with roaming and caching the encryption keys. But I don't think this is the same thing.

Thanks

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to pblume

‎08-06-2012 12:02 PM

In your certificate authentication profile, do you have the option to "Perform Binary Certificate Comparison..." checked. If you dont the ACS will authenticate client based on the certificate in the Trusted CA store, meaning that if the ACS has the root certificate installed and the client presents the cert signed by this CA then authentication will succed at the ACS and not with AD.

Thanks,

Tarik Admani
*Please rate helpful posts*

Preview file
87 KB
0 Helpful

pblume
Level 1
Level 1
In response to Tarik Admani

‎08-06-2012 02:33 PM

Tarik,

OK, you are right. I enabled that option and saw the wireless client fail (finally)!

Unfortunately, when I activate the Domain Controller, I also fail authentication with the following issues from the ACS log:

Evaluating Identity Policy

15006  Matched Default Rule

24433  Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com

24435  Machine Groups retrieval from Active Directory succeeded

24100  Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.

24483  Failed to retrieve the machine certificate from Active Directory.

22049  Binary comparison of certificates failed

22057  The advanced option that is configured for a failed authentication request is used.

22061  The 'Reject' advanced option is configured in case of a failed authentication request.

12507  EAP-TLS authentication failed

11504  Prepared EAP-Failure

11003  Returned RADIUS Access-Reject Evaluating Identity Policy
15006  Matched Default Rule
24433  Looking up machine/host in Active Directory - xxxx.xxxx.xxxx.xxx.com
24435  Machine Groups retrieval from Active Directory succeeded
24100  Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.
24483  Failed to retrieve the machine certificate from Active Directory.
22049  Binary comparison of certificates failed
22057  The advanced option that is configured for a failed authentication request is used.
22061  The 'Reject' advanced option is configured in case of a failed authentication request.
12507  EAP-TLS authentication failed
11504  Prepared EAP-Failure
11003  Returned RADIUS Access-Reject

I know it's not a Cisco ACS issue, but would you know what I need to do to allow the laptop certificate to be retrieved from the Domain Controller? I can see the certificate in the Active Directory Certificate Services "Issued Certificates" folder.

Thanks

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to pblume

‎08-06-2012 04:55 PM

What functional level is your domain, and what version of windows are you using for certificate authority?

Sent from Cisco Technical Support iPad App

0 Helpful

pblume
Level 1
Level 1
In response to Tarik Admani

‎08-06-2012 05:58 PM

The domain functional level is Windows Server 2008 R2. The CA is on the same server.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to pblume

‎08-06-2012 07:15 PM

Hi,

See if this gives you any luck:

http://technet.microsoft.com/en-us/library/cc730861%28v=ws.10%29

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents