Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5502
Views
4
Helpful
16
Replies

ACS - AnyConnect 3.0.5080 Network Access Manager (NAM) selecting wrong Certificate

Go to solution
jim.bell@argyll-bute.gov.uk
Level 1
Level 1

‎07-27-2012 06:52 AM - edited ‎03-10-2019 07:20 PM

Hi There,

We are successfully authenticating our Windows7 Wireless laptop users using Microsoft CA issued Machine Certificates to Cisco ACS Server v4.2 using EAP-TLS

However when AnyConnect 3.0.5080 is Installed and Network Access Manager (NAM) is running on the laptops NAM appears to be selecting details from the wrong certifcate for EAP-TLS authentication to ACS Server, it selects Username details from a Personal certificate on the users machine that is used by LYNC 2010 and does not use the Machine Certificate that is installed.

Attached is ACS logs that indicate this.

Will NAM always use details obtained from a Personal certificate in prefernce to a Machine certificate (if they both have the same domain name contained within them).

Anything specific I should be looking at.

Thanks in advance for any help.

Labels:
Preview file
89 KB
0 Helpful
16 Replies 16

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to jim.bell@argyll-bute.gov.uk

‎08-20-2012 09:00 AM

No problem Jim,

If you could please update this thread as you progress it will help a lot of customers in the future!

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
jim.bell@argyll-bute.gov.uk
Level 1
Level 1
In response to Tarik Admani

‎08-23-2012 08:58 AM

Tarik,

The issue has now been resolved with the excellent assistance of Cisco TAC - it was a configuration issue within our NAM Profile.

Im summary there were 2 Network Groups within our NAM profile "Default" and "Local Networks".

The profile was set correctly to use Machine Authentication for our wireless SSID in the "Default" group and was listed as an Administrator network within NAM (however as before this was failing and NAM was using the LYNC user certificate details).

Turns out there had been a test network with the same SSID set-up previously within the "Local Networks" group and this was listed as a User network and it is this one that NAM was using to try and authenticate.

When this test network was deleted from the "Local Networks" group we were then able to authenticate to our wireless SSID successfully using 802.1x and EAP-TLS

Thanks again for your earlier help.

Regards

Jim.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents