Solved: ISE 1.4 using EAP-TLS can´t identify user in a AD Group

almeidag · ‎09-24-2015

Hi

I have a client that want to use EAP-TLS authentication on his Wifi and he only wants the users in a distinct AD group to access the cooperate SSID.

I got the solution working with a PEAP authentication but with EAP-TLS it only works without the "AD Group" policy.

Any Idea on what i can do to get it to work ?

George

i found the problem, i had to adapt the "Certificate Authentication Profile " for the client AD

jan.nielsen · ‎09-24-2015

How is your dot1x configuration in your PC done ? How does the ISE log look, when it works ?

View solution in original post

jan.nielsen · ‎09-24-2015

Does the PC have machine certificates or user certificates installed ? If the PC uses computer certificates, you can't do group lookups for the user, as the user is not known to ise.

almeidag · ‎09-24-2015

Hi

I found out that the client has both certificates.

and what was strange was that the PC certificate worked but not the user cert. ...

Any ideia way ?

jan.nielsen · ‎09-24-2015

How is your dot1x configuration in your PC done ? How does the ISE log look, when it works ?

almeidag · ‎09-25-2015

hi

i found the problem i had to adapt the "Certificate Authentication Profile " for the client AD

thank you very much for your help.

George