07-27-2012 06:52 AM - edited 03-10-2019 07:20 PM
Hi There,
We are successfully authenticating our Windows7 Wireless laptop users using Microsoft CA issued Machine Certificates to Cisco ACS Server v4.2 using EAP-TLS
However when AnyConnect 3.0.5080 is Installed and Network Access Manager (NAM) is running on the laptops NAM appears to be selecting details from the wrong certifcate for EAP-TLS authentication to ACS Server, it selects Username details from a Personal certificate on the users machine that is used by LYNC 2010 and does not use the Machine Certificate that is installed.
Attached is ACS logs that indicate this.
Will NAM always use details obtained from a Personal certificate in prefernce to a Machine certificate (if they both have the same domain name contained within them).
Anything specific I should be looking at.
Thanks in advance for any help.
Solved! Go to Solution.
08-20-2012 09:00 AM
No problem Jim,
If you could please update this thread as you progress it will help a lot of customers in the future!
Thanks,
Tarik Admani
*Please rate helpful posts*
07-28-2012 03:49 AM
Jim,
Can you check and see if the Lync cert is in the appropriate store? From what I understand machine authentication works if the lync cert isnt deployed. To check the cert stores follow this guide - http://msdn.microsoft.com/en-us/library/ms788967.aspx and for the computer account please make sure that only computer cert is there.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-13-2012 01:41 AM
Hi Tarik,
Apology for delay in replying -
checked Laptop and only the Computer cert is in Local Computer account (under personal certificates),
the lync certificate is in Personal certificates under Current User on same machine
Regards
Jim.
08-13-2012 10:47 AM
Jim,
Can you check the profile for you network and see if you are using both machine and user connection, it maybe that there isnt a user certificate installed so then anyconnect uses the machine cert to connect to the network, but once the lync certs were deployed then it gave anyconnect another certificate to authenticate with.
attached is the screenshot for the setting.
Tarik Admani
*Please rate helpful posts*
08-14-2012 12:54 AM
Hi Tarik,
Checked and profile set for Machine Connection (see attachment). For information Lync was deployed before AnyConnect with Nam was installed.
Regards
Jim.
08-14-2012 01:11 AM
Jim,
I wonder if you set the credentials to password based (PEAP) for machine authentication and see if you can get consistent machine authentication records. It doesnt make sense as to why Network Access Manager will look in the user certificate store when the profile is set to use the machine credentials. I think you should open a TAC case and make sure you arent hitting a bug.
Just out of curiosity which xml file did you open to see these settings?
Tarik Admani
*Please rate helpful posts*
08-14-2012 01:23 AM
Tarik,
Back in office tomorrow at this time and will give PEAP a try. Will post update once I have tried
xml file was configuration.xml at following location;
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system
Jim.
08-15-2012 04:44 AM
Hi Tarik,
I tried User authentication using password based PEAP as suggested and that works fine - but is not what we want.
Thought we had run into the bug "CSCtr97908 Machine Authentication with 2008 AD cert template fails" so upgraded to AnyConnect V 3.1.00495 which resolves this -however we are still having issues with NAM picking user certificates over machine certificates.
I removed all User Certificates from "Certificates-Current User" and AnyConnect/NAM cannot find any valid certificates (even though Machiune certifcate still present in "Certificates-(local Computer)"
I then went through the AnyConnet/NAM logs and on our wireless connection can see EAP ID request and NAM then searching for valid User Certificates (does not look for machine certificates) - would it be related in any way to EAP ID request from the Wireless infrastructure