ACS 3.3 for windows - Win AD and eap-tls problem

Unanswered Question
Sep 6th, 2007
User Badges:


I have a problem with an ACS to authenticate users with certificate on MS AD.

Working things:

PEAP authentication with the MS AD;

EAP-TLS authentication with the local DB.

Not working things:

EAP-TLS authentication with MS AD.

Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.

Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.

So, why it's not working with the combination EAP-TLS and MS AD.

I receive the error 'External DB Account Restriction'

Thanks for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
scadora Fri, 09/07/2007 - 08:07
User Badges:
  • Cisco Employee,

What kind of certificate comparison do you have configured for TLS in ACS? For example, if you have SAN comparison, then check that the Subject Alternative Name in the certificate exists as a username in AD. The SAN may be different from the username that is sent in the MSCHAPv2 portion of PEAP.


philippe.denebourg Mon, 09/10/2007 - 22:41
User Badges:

I tried all options and I also tried a certificate with a cn equal to the user account and user name. I still have the same problem.

Premdeep Banga Sat, 09/08/2007 - 08:21
User Badges:
  • Gold, 750 points or more


Set ACS to debugging level from,

System Configuration > Service Control > Level of Detail - Full > Restart.

Then do one test authentication using Windows for EAP-TLS.

And get the file Auth.log and RDS.log from directory.



Above logs will give you complete picture, as why EAP-TLS with Windows is failing.



philippe.denebourg Mon, 09/10/2007 - 22:59
User Badges:

Thanks for your response.

I followed your advice and it seems that the problem is between the MS AD and the ACS but I'm not sure of my log interpretation.

I join the log file.

If somebody has any idea he is welcome!

Thnaks for your answer.

Premdeep Banga Tue, 09/11/2007 - 03:33
User Badges:
  • Gold, 750 points or more


This is what is interesting,

AuthenProcessResponse: process response for 'phd' against Windows Database

Unknown User 'phd' was not authenticated

Done RQ1027, client 50, status -2125

The field that is being picked from certificate has the value 'phd', check you check which field is it.

And was the logging at full?, I think something is missing in the logs.

Lets do a sanity check, and go through following link again,



philippe.denebourg Wed, 09/12/2007 - 06:31
User Badges:


I think that the message 'unknow user' means that the user is not in the local DB and then the system has to check the windows AD.

This message seems to be the result of sevral previous failed authentication to the AD as in the previous message:

AUTH 09/11/2007 08:28:45 I 0709 0236 AuthenProcessResponse: process response for 'phd' against Windows Database

AUTH 09/11/2007 08:28:45 I 5081 0236 Done RQ1027, client 50, status -2046

AUTH 09/11/2007 08:28:45 I 5094 0236 Worker 6 processing message 7.

AUTH 09/11/2007 08:28:45 I 5081 0236 Start RQ1027, client 50 (

The user PHD is well defined in the AD and again, it works with PEAP. (And with certif. but with the local DB only)


philippe.denebourg Wed, 09/12/2007 - 07:36
User Badges:

Good idea,

unfortunately I already tried this config except for the bin but i don't have a bin certificate in the AD.



This Discussion