ACS 5.3, EAP-TLS Machine Authentication with Active Directory
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-19-2012 09:59 PM - edited 03-10-2019 07:26 PM
I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
Evaluating Identity Policy |
15006 Matched Default Rule |
22037 Authentication Passed |
22023 Proceed to attribute retrieval |
24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com |
24437 Machine not found in Active Directory |
22016 Identity sequence completed iterating the IDStores |
Evaluating Group Mapping Policy |
12506 EAP-TLS authentication succeeded |
11503 Prepared EAP-Success |
Evaluating Exception Authorization Policy |
15042 No rule was matched |
Evaluating Authorization Policy |
15006 Matched Default Rule |
15016 Selected Authorization Profile - Permit Access |
22065 Max sessions policy passed |
22064 New accounting session created in Session cache |
11002 Returned RADIUS Access-Accept |
I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
Note: In my Identity Store Sequence, I did enable the option:
For Attribute Retrieval only: |
If internal user/host not found or disabled then exit sequence and treat as "User Not Found" |
but this only seems to work for internal identity stores (at least based on my testing)
Under my Access Policy Identity tab, I configured the following Advanced features:
|
And that didn't do anything either.
Any ideas? Thanks in advance.
- Labels:
-
AAA

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-19-2012 10:24 PM
In the authorization policy you can see that the default rule has been matched. However, looks like the default rule result is to permit access. If you change this to "DenyAccess" I think you may get the desired result.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-19-2012 10:28 PM
Currently, I only have the default rule configured in the authorization policy which is to allow access. If I make that a deny all, then evrything will be denied. (I tested that just as a sanity test.) Can I add a rule in my authorization policy to deny access if the machine is not found in AD?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-19-2012 11:00 PM
Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
Then can make a rule in the authorization policy such as
If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2013 05:27 PM
Why is there no Authorization Profiles with Deny Access ?
I am having the same problem where the default rule of permit access is being hit thus allowing everyone to login as long as their username is in AD.
What did you do to deny access for the default Authorization Profile...

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2013 11:08 PM
U can't create a new authorization profile with deny access but when you are select an authorization profile as the result of an authorization policy you should see an option there to select a DenyAccess profile. U do not see the denyAccess profile in the list of authorization profiles

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2013 09:11 AM
My mistake. You have to click on the button select to see the list of profiles. i have already been tricked by that seelct button before you think i would have learned my lesson. When you go to policy elements and auth profiles you only see permit access and not the deny so i was thinking my setup was broken.
Thanks for the help.
