Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1218
Views
10
Helpful
4
Replies

ISE AD Lookup fails

Go to solution
ThoDoepke
Level 1
Level 1

‎09-25-2013 02:34 AM - edited ‎03-10-2019 08:56 PM

I have a problem with an AD lookup which is driving me nuts.

We are using maschine certificates for authentication and AD-groups for authorization policies.

We don't have any problems with Windows devices.

Now we are trying to include an Apple OS X device (native supplicant) and it doesn't work.

The certificates validation is successfull but afterwards the ISE tries an AD lookup for a user with the maschine name instead of a maschine lookup.

The only difference in the radius request ist the radius-username.

In case of Windows it's like host/maschine and in case of OS X the host is missing.

So my guess is that the host/ part is needed by ISE to recongnize the request as a maschine authentication.

The problem ist that I can't find a possibility to force the OS X supplicant to add this part.

Can anyone give me a hint how to configure the OS X supplicant correctly?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎09-25-2013 03:35 AM

The issue is due to the Windows client prepends a "host/" in front of the name on the certificate and the Macintosh client does not. This is known issue with MAC clients when performing machine authentication with eap-tls.

One of my colleague created a doc for the same, please review the doc and check if it helps.

https://supportforums.cisco.com/docs/DOC-15477

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

4 Replies 4

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎09-25-2013 03:35 AM

The issue is due to the Windows client prepends a "host/" in front of the name on the certificate and the Macintosh client does not. This is known issue with MAC clients when performing machine authentication with eap-tls.

One of my colleague created a doc for the same, please review the doc and check if it helps.

https://supportforums.cisco.com/docs/DOC-15477

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Go to solution
ThoDoepke
Level 1
Level 1
In response to Jatin Katyal

‎09-25-2013 07:34 AM

That solved the problem.

Thanks a lot.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to ThoDoepke

‎09-25-2013 08:33 AM

Your Welcome

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
Amar_Tufo
Level 1
Level 1
In response to Jatin Katyal

‎01-19-2023 04:04 AM

Is this document still available? I think it could bring me closer to resolving my problems. Can it be somehow provided again?

0 Helpful
Customers Also Viewed These Support Documents