Hi Ivan,

Thanks for reply.

The ACS is configured correctly, since I have many laptops joined at the eap-tls ssid, even non domain joined laptops, the difference is that I have not tryed windows 10 home edition. I said about non domain laptops because on domain joined laptops is too easy to join, the certificates is already on windows repository and most of the times is just clicking on 'connect' and all the configurations is done automatically.

About this specific laptop, the certificate is configured with the right certificate container. I was trying the "windows: eap-ttls" as a authentication method but I was also tried the 'microsoft: smart card or other certificate' as well as 'microsoft: protected EAP (PEAP)' configuring certificate further.

On testing and troubleshooting on ACS, it was not possible to do a configuration so I could put the username, it always recognize the local user and of course not validating, but on ACS the log says '... because client rejected ACS local certificate'.

When configured so I can input user/password, I have log saying 'selected authorization profile is denyaccess', that is not true since the same user can connect from another laptops.

Thanks again.

Hi,

This error basically means that this attempt did not hit any of your authorization rules and hitting a rules that is set to "Deny Access" ( which most likely is the default rule).

Try to open the report and compare with the conditions you have on your rule to determine which condition is not being hit, and also by checking the "Steps" section at the bottom of the report might tell you why it failed.

Hi,

Sorry by delay, i was on vacation :)

I've just installed windows 10 on a corporate notebook for testing.

This is a domain joined notebook, I have no problems to join on a wifi network, but when logged in with a local account the join is not ok.

I did a thorough comparisson between the wifi configuration on this laptop with a domain user logged (that is working) and the same laptop with a local user wifi configurations and that's all the same. But the problem is, there is no way to windows 10 understand that I want to use a domain user to login and try to connect with a laptop local user account, that will not work of course, and the ACS log says the event "15039 - Selected Authorization Profile is DenyAccess".

Below is where I say the windows that I want to use a different user to log on.

I've tried a million times but no way to connect.

The certificates are all ok! I think that is a bug on windows 10, anyway, I quit trying, perhaps on a future windows update it works.

Thanks a lot for the help!

You selected "Smart card or other Certificate", as the type of authentication you wan't to do, which in Windows means EAP-TLS, not PEAP. EAP-TLS does not send username/password, so that checkmark in the "Use a different user name for the connection", does not do anything.  What you are probably having an issue with, is the a local user does not have a user certificate from AD, as they are not an AD user. You need to decide if you are using certificates to authenticate, or username/password.

Hi Jan, thanks for reply.

On EAP-TLS when validating the certificate, the username/passwd is not checked, but the next step, after validating the Certificate Chain and the User Certificate it needs to pass username/passwd so the ACS can validate it against the Active Directory.

The certificate chain or user certificate is not the issue because the ACS Log is explicit saying "15039 - Selected Authorization Profile is DenyAccess", it means that the first step (Certification Valitading) is ok, but the next (User Validation) is not ok, of course its trying to validate a local user account and will fail, because I need to send to ACS an Active Directory User, not a Local User.

Below are an example of a successful user authentication on the same laptop, but logged on with a domain user account.

Thanks again

I think you are misunderstanding something :

- Windows cannot use both certificate with EAP-TLS and username/password with PEAP, you either do username/password with PEAP or certificates with EAP-TLS

AnyConnect NAM can do this.

- EAP-TLS does NOT do user authentication, it only checks the certificate. Anything in EAP-TLS related to usernames, is only ACS/ISE checking that the username that is in the certificate CN field, is actually a user which is present in AD, and used only for looking up AD groups.

- When you login to your windows machine with a local user, you won't have access to any other users certificate on that machine, so if you are actually using EAP-TLS, it won't work unless you are only doing machine validation or if you are actually using PEAP and not EAP-TLS
 

Hello All,

FYI, windows 10 version is supported until ACS 5.8 version and not on older version:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/device_support/sdt58.html#pgfId-69953

I think what you are seeing is a result of not having the root/issuing certificate installed in the root store of that windows 10 machine, and as such it is not trusted. This would happen because the machine has not received those certs via a Group policy (which is pretty much standard in AD, when you have a microsoft pki). You should export the root and whatever issuing ca's you might have in your pki, and import them into the pc's trusted root store. Then modify the dot1x config on the pc, to trust the root/issuing ca. Also, as ivan said, the  "Smartcard or other certificate" is the one to select for doing eap-tls in windows.