Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ACS 5.3, EAP-TLS Machine Authentication with Active Directory

I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.

My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.

Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.

Evaluating Identity Policy

15006 Matched Default Rule

22037 Authentication Passed

22023 Proceed to attribute retrieval

24433 Looking up machine/host in Active Directory -

24437 Machine not found in Active Directory

22016 Identity sequence completed iterating the IDStores

Evaluating Group Mapping Policy

12506 EAP-TLS authentication succeeded

11503 Prepared EAP-Success

Evaluating Exception Authorization Policy

15042 No rule was matched

Evaluating Authorization Policy

15006 Matched Default Rule

15016 Selected Authorization Profile - Permit Access

22065 Max sessions policy passed

22064 New accounting session created in Session cache

11002 Returned RADIUS Access-Accept

I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?

Note: In my Identity Store Sequence, I did enable the option:

For Attribute Retrieval only:
If internal user/host not found or disabled then exit sequence and treat as "User Not Found"

but this only seems to work for internal identity stores (at least based on my testing)

Under my Access Policy Identity tab, I configured the following Advanced features:

If authentication failed
If user not found
If process failed

And that didn't do anything either.

Any ideas? Thanks in advance.

Rising star

In the authorization policy you can see that the default rule has been matched. However, looks like the default rule result is to permit access. If you change this to "DenyAccess" I think you may get the desired result.


Currently, I only have the default rule configured in the authorization policy which is to allow access. If I make that a deny all, then evrything will be denied. (I tested that just as a sanity test.) Can I add a rule in my authorization policy to deny access if the machine is not found in AD?


Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"

Then can make a rule in the authorization policy such as

If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"


Why is there no Authorization Profiles with Deny Access ?

I am having the same problem where the default rule of permit access is being hit thus allowing everyone to login as long as their username is in AD.
What did you do to deny access for the default Authorization Profile...


U can't create a new authorization profile with deny access but when you are select an authorization profile as the result of an authorization policy you should see an option there to select a DenyAccess profile. U do not see the denyAccess profile in the list of authorization profiles


My mistake. You have to click on the button select to see the list of profiles. i have already been tricked by that seelct button before you think i would have learned my lesson. When you go to policy elements and auth profiles you only see permit access and not the deny so i was thinking my setup was broken.

Thanks for the help.

Content for Community-Ad