cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

851
Views
0
Helpful
6
Replies
Highlighted
Beginner

ISE 1.2 EAP-TLS and AD authentication

Hi,

I am sure I have had this working but Just cant get it to now.

So I have a Computer that has a Certificate on it with the SAN - princible name = to 12345@mydomain.com. This is an auo enroled Cert from my AD.

My Authentication profile says

IF the SSID (called-station) contianes eduroam and Princible name containes @mydomain.com then user a certification authentication profile. (see attachemnt below) 

Then my authorization profile says

if active directoy group = "Domian computers" then allow access.

When my computer trys to join it passes the certificate test, but when it gets to the AD group is get the below.

24433          Looking up machine in Active Directory - FY8FCT1$@mydomain.ac.uk

24492          Machine authentication against Active Directory has failed

22059          The advanced option that is configured for process failure is used

22062          The 'Drop' advanced option is configured in case of a failed authentication request

But I know my machine is in AD? What do i need to do to get the PC to use EAP-TLS to authenicate and AD group to authorize?

Cheers

6 REPLIES 6
Highlighted
Rising star

On Admin->Identity Management->External Identity Sources->Active Directory->Advanced Settings tab do you have enable machine authentications checkbox selected?

Highlighted

Hi,

yep looks like it.

Highlighted

Can you post a screenshot of your relevant Authentication and Authorization policy settings?

Highlighted

Authen.png

This accepts all requsts to one SSID and then as you can see if it is EAP TLS uses Cert store (see below), other wise AH

Authorization.png

This jsut says if AD Group = /user/domainComputer allow full access (simple rule)

cert store.png

Highlighted

Perhaps try using the "common name" subject attribute not the "other name" subject attribute.  In the past, I've used common name for my deployments and it had worked.  I also configure it a little differently by configuring an identity source sequence for AD then local with the certificate profile selected. Not saying my way is the right way, just saying how I had achieved success in the past.

Highlighted

Trouble is i need the machine to use the "princible name" for authentication. My username must be in the formate

xxx@domain.com

Content for Community-Ad