12-18-2012 05:17 PM - edited 03-10-2019 07:54 PM
Hi all,
I'm having a problem when i'm using EAP-TLS with certificate for authentication. The authentication is working if my authorization
criteria don't include an external group in the matching criteria. When I try to add an external group in my authorization rule, it
doesn't match my rule.
When i look in the "Other Attributes" field for that client it is not showing up as an available attribute.
Do you know why it is doing this? Does the user i use for joining the AD is missing rights? Anything else? Active directory
is 2003 and 2008..
FYI, when i use the same account to authenticate with PEAP rather than EAP-TLS the external groups are there and i can create
a rule to match the external group for that user.
Also, when i try to read the attributes for this user in the extrernal identity, there is no attributes that are returned. Some other
users are working..
Any clue??? Is there any debug i can enable to troubleshoot this?
thanks in advance
Solved! Go to Solution.
12-21-2012 11:51 AM
Glad to hear that you found a solution and for positing it here! Five points from me! You should mark the questioned as answered so the thread can be closed
Regards,
12-18-2012 07:14 PM
Hello-
Can you:
1. Post the whole screen of the authentication window
2. Post a screenshot of the supplicant configuraiton (including settings and advanced settings)
3. Version of ISE that you are using
12-19-2012 05:18 PM
Hi,
Here's the screenshots.
One of them is the authorization policy. Some of them are duplicates and disable because i'm testing..but i want to mention that rule #3 is working and rule #4 is not working. This is where my problem is, rule
#4 include the external group criteria. If i create the same rule #4 but use PEAP rather than a
certificate for authentication it will work.
I'm using ISE 1.1.2
thanks
12-19-2012 06:46 PM
I am a little bit confused with your authorization rules: I don't see any references to to any AD external groups. The differences that I see between your authorization rules 3 & 4 are:
1. Rule 3 is disabled and 4 is not
2. Rule 4 is referencing a custom conditional called "SGAccess-IT-Firewall" What exactly is that rule? Details about it?
Also, can you provide some additional info:
1. Can you post a screen shot of the detailed failed authentication ? I want to look at the whole screen with all of the attributes and rules that were matched
2. Provide a screen shot from a successful authenticaiton sessoin from another user
3. Confirm that the affected user has a digital user certificate that was signed from your PKI (Start > MMC > add snap-in > certificates > personal user certs)
4. Screen shot from your authenticaiton profile and identity sequence that you are using with your authentication rules
If PEAP is working that means that ISE is able to successfully query AD so the issue is most likely with something else
12-20-2012 09:05 AM
Hi,
The "SGAccess-IT-Firewall" you see in the rule is basically a condition that match the external group i want. This is a predefined condition that's why you see the name of my condition rather than the detail of the condition.
Like i was saying in my previous message, i have multiple rule for testing. Rule #3 and #4 are the rules i'm testing with.
Rule #3 is working because there is no condition to match the external group. Rule #4 is the one i would like to implement but it is not working. So for now i'm switching between both rules for testing.
When it fails, it match the last rule that is a deny access (default rule)
I can't provide a successful authentication from another user because it is never working when i enable rule #4 and use a certificate for authentication. What i was saying, was it is working when i use PEAP for authentication. The difference
i found in the detail authentication reseult is the "other attributes" available. I included a screenshot in my first post.
So far i'm still searching..I can do the same thing in my lab on a test domain and test ISE server and it's working good..
12-20-2012 07:25 PM
Hi,
I just want to give an update on this discussion. I have found why i was not able to match any external groups and
why the attributes were not showing in the detailed logs.
The issue was with the certificate. When ISE is requesting the information on the AD for the authentication, ISE
uses the CN has the username contained in the certificate for any request. So in my case the CN in the certificate was Robertson, Stephane. ISE is taking this information to search in AD...The right name to search with is the "username"
in AD (in my case robertsons). So as soon as i created a certificate with "robertsons" as the CN it worked.
Thanks for your help!
12-21-2012 11:51 AM
Glad to hear that you found a solution and for positing it here! Five points from me! You should mark the questioned as answered so the thread can be closed
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide