Hi Prem,

Thanks for your reply.

Just to be sure I understand correctly, the ACS will check the field "host/..." of the certificate against the entries of the A.D. ?

So I need to deploy remote agent on the A.D.

Then it could be possible for the ACS to deny an authentication if the machine certificate is valid, but the machine not a member of the windows domain ?

Thanks for your attention.

Best Regards,

Arnaud

Prem,

Many thanks for all these inputs.

That's great!

I'm going to perform tests in order to deploy the architecture.

I'm also going to have a closer look at the link you pointed to me.

Best Regards,

Arnaud

Hi Prem,

I'm presently in the step of testing and validating the setup.

I've configured the radio part (cisco airespace), the acs appliance (v4.1), the Active Directory and the Certificate Authority (windows).

I've added a laptop in the windows domain.

A machine certificate has been assigned to the laptop.

I've configured the windows wifi client for EAP TLS. I've also added the 2 registry keys.

I've installed the ACS remote agent on the domain controler. I've configured the external user database (domain list retrieved by the remote agent and machine authentication enabled).

When trying to connect on the wifi SSID, I can't manage to authenticate.

The laptop managed to associate, but in no way to authenticate.

I cound't see failed attemps on the ACS.

On the client, an error message indicated that windows couldn't find certificate to authenticate.

So I've added a user certificate on the laptop.

I still couldn't manage to authenticate, but I no longer have the previous error message. And still no logs on the ACS.

Then I've modified the setup of the windows wifi client. I've configured PEAP. Then, when trying to associate, I have the popup for user/password. I can't manage to log on, which is 'normal' because PEAP isn't configured on the ACS. But at least, I can see failed attemps on the ACS logs.

So It seems I'm doing something wrong on the windows wifi client.

Would someone have any advices ?

Thanks in advance for your attention.

Best Regards,

Arnaud

Hi Arnaud,

As you have mentioned that you are able to get hits on ACS with PEAP, then we ca rule out the issue of NAS and client communication.

Now as we are using 4.1(i guess 4.1.1.23), in this sometimes what you get/don?t get on fail/pass logs isn't the complete story.

Increase the level of detail. on ACS from System Configuration > Service Control > Full > Restart

Get one authentication attempt by EAP-TLS, and make sure that controller is indeed sending the access request to ACS.

Then you can extract the detailed logs from ACS.

System Configuration > Support > Run support Now.

Check the auth.log and RDS.log, it will give you ample information, what's happening.

But it could also be client misconfiguration issue as well. At this point we cannot pin point to certain direction.

HTH

Regards,

Prem

Hi Prem,

Thanks for these inputs.

I've passed the logs details to full, performed other tests and retrieved the package.cab.

I've started investigating the 2 log files you pointed.

First, we can see that the requests reach the ACS, so that's a good point.

Then, I'm not sure how to understand the messages.

In the auth.log, we can see the message "no profile match". I guess it is about network access profile. For my purpose (machine authentication by certificate), I don't think Network Access Profiles to be mandatory to be configured.

But I'm not sure this NAP problem to be the root cause of my problem.

And when no NAP is matched, then the default action should accept.

We can see the correct name of the machine (host/...). We can see that he's trying to authenticate this machine "against CSDB". Then we have several lines with "status -2046" but I can't understand what the problem is.

I don't know what CSDB is.

I've configured external user database: for this, I've configured windows database with Remote Agent. The domain is retrieved and added in the domain list. And EAP-TLS machine authentication is enabled.

I copy below an extract of the auth.log.

I also attach parts of auth.log and RDS.log.

If you have any ideas or advices ?

Thanks in advance for your attention.

Best Regards,

Arnaud

AUTH 04/07/2007 12:25:41 S 5100 16860 Listening for new TCP connection ------------

[...]

AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::CreateContext: new context id=1

AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/nomadev2001.lab.fr

[...]

AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::SelectService: context id=1; no profile was matched - using default (0)

[...]

AUTH 04/07/2007 12:25:41 I 0143 1880 [PDE]: PolicyMgr::Process: request type=5; context id=1; applied default profiles (0) - do nothing

AUTH 04/07/2007 12:25:41 I 5388 1880 Attempting authentication for Unknown User 'host/nomadev2001.lab.fr'

AUTH 04/07/2007 12:25:41 I 1645 1880 pvAuthenticateUser: authenticate 'host/nomadev2001.lab.fr' against CSDB

AUTH 04/07/2007 12:25:41 I 5081 1880 Done RQ1026, client 50, status -2046

[...]

Thanks for the logs,

It seems like that ACS is only checking its internal database. Not the windows database.

Make sure that you have configured Unknown User Policy properly.

External User Databases > Unknown User Policy

Make sure that it is not selected as failed the attempt, windows database should be selected.

Also, as this is related to windows, if we are using ACS SE, check the CSWinagent logs too, that can be found under installation folder of Remote Agent.

Summarizing, the host is not being looked up in AD, I guess some configuration issue.

Regards,

Prem

Prem,

Before reding your last post, I've added a Network Access Profile.

Its configuraiton is basic. It accepts all protocols.

I've retried the tests and retrieved the package.cab.

Then, the ACS tries to authenticate the request againt the windows database, but it seems without response (NULL response supplied).

And in the ACS / reports and activity / failed attemps: now I have an entry: "EAP-TLS, EAP type not configured".

I've checked my EAP-TLS configuration, but I've followed the indications pointed by the cisco doc. Maybe I've missed a parameters, but I don't think.

Which is strange is that I don't have new pessages in failed attempts. But I would expect seral entries (each time the laptop retries to connec / authenticate) ?

I've checked the parameters you pointed to me in your last post: windows database is well configured for unknown external databas

Here are extracts from auth.log:

And finally, regarding the logs on the remote agent, there is no entries in it.

AUTH 04/07/2007 14:21:58 I 1645 1984 pvAuthenticateUser: authenticate 'host/nomadev2001.lab.fr' against Windows Database

AUTH 04/07/2007 14:21:58 I 5081 1984 Done RQ1026, client 50, status -2046

AUTH 04/07/2007 14:21:58 I 5094 1984 Worker 6 processing message 45.

AUTH 04/07/2007 14:21:58 I 5081 1984 Start RQ1027, client 50 (127.0.0.1)

[...]

AUTH 04/07/2007 14:22:52 I 2817 1852 AuthenReaperThread: freeing session id 4b

AUTH 04/07/2007 14:22:52 I 0396 1852 External DB [NTAuthenDLL.dll]: Response from user [host/nomadev2001.lab.fr] with state [0]

AUTH 04/07/2007 14:22:52 I 0396 1852 External DB [NTAuthenDLL.dll]: NULL response supplied

AUTH 04/07/2007 14:22:52 I 0143 1852 [PDE]: PolicyMgr::TerminateContext: context id=57 is deleted

Best Regards,

Arnaud

You are right, it seems like something is not configured right. For basic testing I would recommend you to not to mix NAP.

And I guess we have ACS Solution Engine/Appliance? correct me if I am wrong.

Check the Remote Agent logs, and

make sure that we have correct version installed to talk to AD.

suppose you have ACS version 4.1.1.23, then go to command prompt on the machine where RA is installed.

And issue is command under bin folder

bin\csagent -v

both versions must watch.

Regards,

Prem

Prem,

You're right, it's an appliance version of the ACS.

Here are the versions :

remote agent (on windows): 4.1(3.12)

ACS appliance: 4.1.1.23

So they're both 4.1, but minor release / build version are not the same.

I connected myself on the cisco download page of ACS software. There are lots of different versions, both for ACS as well as for remote agent.

I've retrieved the remote agent 4.1.1.23-k9.

Should I install this version of the remote agent instead of the 4.1.3.12 ?

Or should I upgrade the ACS software ?

And should I apply the latest patchs ? Or must I apply the patches only if cisco TAC require me to do so ? I've started reading the release notes, I could notice issues regarding to EAP-TLS in particular setup.

Arnaud

You can go any way you want.

but ACS version and RA version needs to be same

both need to be either 4.1.1.23 or both need to be 4.1.3.12

And If you have upgrade 4.1.3.12 or 4.1.1.23 that?s good, if not, you wont be able to download it. You would be required to contact TAC, so that they can publish it for you.

Regards,

Prem

Correction

*And If you have upgrade 4.1.3.12 or 4.1.1.23

*And If you have upgrade 4.1.3.12 for 4.1.1.23