Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


EAP-TLS and ACS 5.1 with AD


I want to set up the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:

24435  Machine Groups retrieval from Active Directory succeeded

24100  Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.

24483  Failed to retrieve the machine certificate from Active Directory.

22049  Binary comparison of certificates failed

22057  The advanced option that is configured for a failed authentication request is used.

22061  The 'Reject' advanced option is configured in case of a failed authentication request.

12507  EAP-TLS authentication failed

11504  Prepared EAP-Failure

11003  Returned RADIUS Access-Reject
What ist the problem? I can't find documents how to configure this in detail.
Can some one helf me?
King regardes
Jagdeep Gambhir

Hi Torsten,

Did you enable " Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Director" in acs-->Users and Identity Stores-->Local certificate-->Edit ?




I can't find this point 'acs-->Users and Identity Stores-->Local certificate-->Edit ?' in my ACS-Webpage.

I have under 'Users and Identity Stores' only Certificate Authorities, Certificate Authentication Profile and Identity Store Sequences.

But I use a Certificate Authentication Profile in wich I selectet 'Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory '



Hi Torsten,

The option you are looking for is under system configuration:

Configuring Local Server Certificates

Under acs-->Users and Identity Stores-->Local certificate-->Edit. You can only import/configure CA certificate:

Configuring CA Certificates




Plz rate helpful posts-



yes on this point I import my CA-Certifacte and bind ist to the Protocol EAP and Management Interface. (both points I can select on the edit page). That was done before I open the case. The error must be on an other Topic. But I don't no where. Would it help if I send some Hardcopys of Configpages? So please tell me which one you need.

King regardes



Were you able to get this resolved?


Hi, I am using the Certitifcate from CA server.  so binding the " Local Server Certificates" and  "CA Certificates" with the same certificate right? 


Hi These,

I installed cisco ACS 5.1 version in Vmware server successfully. Now I am trying to join  this ACS server into my Windows Active Directory ( 2008 ). While trying the same i am unable to join this active directory.

Error which i got while trying the same as " Can not resolve network address "

I already verified with Domain name, Dns ip address and domain name resolve and network reachailbility and access permission with rights to join active directory..

Please help in this to complete the activity and let me now how you done this with what procedure do you followed.



Please make sure that ACS and AD are on same timezone. From ACS cli issue command "show clock"

Timezone is to be configured manually on acs. So Time and timezone needs to be same.



Do rate helpful posts

Hi  Jagdeep,

Thanks alot and i find the problem. Its actually in AD timezone is mentioned wrong thats why i am not able to join in my AD.

Yea now I am able to join my ACS into AD without any issues. One more think, after joined to AD my ACS will showing wrong timing while checking the AAA logs. But, in ACS GUI as weel as CLI it showing correct timing only.

Please suggest me in this and let me what could the reason for this problem.



Wouldn't there be a 'clock skew' error if the timezone's were different ?


Hi Torsten,

I am having the same problem - did you ever get this resolved? Doing local ACS cert auth (as part of the AD certficate chain setup) works for machine auth instead of binary comparison against cert pulled from AD , but I need the AD integrated features to check dial in properties etc - and when I have binary comparison on, user auth works and machine auth gets this problem you describe.



There is an attribute in the machine certificate template in AD for issueing of machine certificates - there is a check box to publish the certificate to AD - this was not checked and is needed to be. So basically examining a cert in AD for a user the userCertificate attribute was populated with a binary cert, but under a machine object the userCertificate attribute was empty - hence ACS couldn't find the attribute to binary compare with when it looked up the machine account.
A matter of ticking a checkbox in AD will fix this.

I am using ACS 5.3 and i had the same error "Binary comparison of certificates failed" .

The issue was that in AD the group Cert Publisher was not added to the users which mean that the Certificate was not present in AD. After adding the users to this group and delete and request a new cert for the user, all works fine

Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (35%)

Content for Community-Ad

ISE Webinars

Did you miss a previous ISE webinar?

CiscoISE YouTube Channel