cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

631
Views
10
Helpful
3
Replies
ThoDoepke
Beginner

ISE AD Lookup fails

I have a problem with an AD lookup which is driving me nuts.

We are using maschine certificates for authentication and AD-groups for authorization policies.

We don't have any problems with Windows devices.

Now we are trying to include an Apple OS X device (native supplicant) and it doesn't work.

The certificates validation is successfull but afterwards the ISE tries an AD lookup for a user with the maschine name instead of a maschine lookup.

The only difference in the radius request ist the radius-username.

In case of Windows it's like host/maschine and in case of OS X the host is missing.

So my guess is that the host/ part is needed by ISE to recongnize the request as a maschine authentication.

The problem ist that I can't find a possibility to force the OS X supplicant to add this part.

Can anyone give me a hint how to configure the OS X supplicant correctly?

1 ACCEPTED SOLUTION

Accepted Solutions
Jatin Katyal
Cisco Employee

The issue is due to the Windows client prepends a "host/" in front of the name on the certificate and the Macintosh client does not. This is known issue with MAC clients when performing machine authentication with eap-tls.

One of my colleague created a doc for the same, please review the doc and check if it helps.

https://supportforums.cisco.com/docs/DOC-15477

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

3 REPLIES 3
Jatin Katyal
Cisco Employee

The issue is due to the Windows client prepends a "host/" in front of the name on the certificate and the Macintosh client does not. This is known issue with MAC clients when performing machine authentication with eap-tls.

One of my colleague created a doc for the same, please review the doc and check if it helps.

https://supportforums.cisco.com/docs/DOC-15477

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

That solved the problem.

Thanks a lot.

Your Welcome

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube