This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I'm having a problem when i'm using EAP-TLS with certificate for authentication. The authentication is working if my authorization
criteria don't include an external group in the matching criteria. When I try to add an external group in my authorization rule, it
doesn't match my rule.
When i look in the "Other Attributes" field for that client it is not showing up as an available attribute.
Do you know why it is doing this? Does the user i use for joining the AD is missing rights? Anything else? Active directory
is 2003 and 2008..
FYI, when i use the same account to authenticate with PEAP rather than EAP-TLS the external groups are there and i can create
a rule to match the external group for that user.
Also, when i try to read the attributes for this user in the extrernal identity, there is no attributes that are returned. Some other
users are working..
Any clue??? Is there any debug i can enable to troubleshoot this?
thanks in advance
Solved! Go to Solution.
1. Post the whole screen of the authentication window
2. Post a screenshot of the supplicant configuraiton (including settings and advanced settings)
3. Version of ISE that you are using
Here's the screenshots.
One of them is the authorization policy. Some of them are duplicates and disable because i'm testing..but i want to mention that rule #3 is working and rule #4 is not working. This is where my problem is, rule
#4 include the external group criteria. If i create the same rule #4 but use PEAP rather than a
certificate for authentication it will work.
I'm using ISE 1.1.2
I am a little bit confused with your authorization rules: I don't see any references to to any AD external groups. The differences that I see between your authorization rules 3 & 4 are:
1. Rule 3 is disabled and 4 is not
2. Rule 4 is referencing a custom conditional called "SGAccess-IT-Firewall" What exactly is that rule? Details about it?
Also, can you provide some additional info:
1. Can you post a screen shot of the detailed failed authentication ? I want to look at the whole screen with all of the attributes and rules that were matched
2. Provide a screen shot from a successful authenticaiton sessoin from another user
3. Confirm that the affected user has a digital user certificate that was signed from your PKI (Start > MMC > add snap-in > certificates > personal user certs)
4. Screen shot from your authenticaiton profile and identity sequence that you are using with your authentication rules
If PEAP is working that means that ISE is able to successfully query AD so the issue is most likely with something else
The "SGAccess-IT-Firewall" you see in the rule is basically a condition that match the external group i want. This is a predefined condition that's why you see the name of my condition rather than the detail of the condition.
Like i was saying in my previous message, i have multiple rule for testing. Rule #3 and #4 are the rules i'm testing with.
Rule #3 is working because there is no condition to match the external group. Rule #4 is the one i would like to implement but it is not working. So for now i'm switching between both rules for testing.
When it fails, it match the last rule that is a deny access (default rule)
I can't provide a successful authentication from another user because it is never working when i enable rule #4 and use a certificate for authentication. What i was saying, was it is working when i use PEAP for authentication. The difference
i found in the detail authentication reseult is the "other attributes" available. I included a screenshot in my first post.
So far i'm still searching..I can do the same thing in my lab on a test domain and test ISE server and it's working good..
I just want to give an update on this discussion. I have found why i was not able to match any external groups and
why the attributes were not showing in the detailed logs.
The issue was with the certificate. When ISE is requesting the information on the AD for the authentication, ISE
uses the CN has the username contained in the certificate for any request. So in my case the CN in the certificate was Robertson, Stephane. ISE is taking this information to search in AD...The right name to search with is the "username"
in AD (in my case robertsons). So as soon as i created a certificate with "robertsons" as the CN it worked.
Thanks for your help!