09-06-2007 07:59 AM - edited 03-10-2019 03:22 PM
Hi,
I have a problem with an ACS to authenticate users with certificate on MS AD.
Working things:
PEAP authentication with the MS AD;
EAP-TLS authentication with the local DB.
Not working things:
EAP-TLS authentication with MS AD.
Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
So, why it's not working with the combination EAP-TLS and MS AD.
I receive the error 'External DB Account Restriction'
Thanks for your help.
09-07-2007 08:07 AM
What kind of certificate comparison do you have configured for TLS in ACS? For example, if you have SAN comparison, then check that the Subject Alternative Name in the certificate exists as a username in AD. The SAN may be different from the username that is sent in the MSCHAPv2 portion of PEAP.
Shelly
09-10-2007 10:41 PM
I tried all options and I also tried a certificate with a cn equal to the user account and user name. I still have the same problem.
09-08-2007 08:21 AM
Hi,
Set ACS to debugging level from,
System Configuration > Service Control > Level of Detail - Full > Restart.
Then do one test authentication using Windows for EAP-TLS.
And get the file Auth.log and RDS.log from directory.
Above logs will give you complete picture, as why EAP-TLS with Windows is failing.
Regards,
Prem
09-10-2007 10:59 PM
09-11-2007 03:33 AM
Hi,
This is what is interesting,
AuthenProcessResponse: process response for 'phd' against Windows Database
Unknown User 'phd' was not authenticated
Done RQ1027, client 50, status -2125
The field that is being picked from certificate has the value 'phd', check you check which field is it.
And was the logging at full?, I think something is missing in the logs.
Lets do a sanity check, and go through following link again,
Regards,
Prem
09-12-2007 06:31 AM
Hi,
I think that the message 'unknow user' means that the user is not in the local DB and then the system has to check the windows AD.
This message seems to be the result of sevral previous failed authentication to the AD as in the previous message:
AUTH 09/11/2007 08:28:45 I 0709 0236 AuthenProcessResponse: process response for 'phd' against Windows Database
AUTH 09/11/2007 08:28:45 I 5081 0236 Done RQ1027, client 50, status -2046
AUTH 09/11/2007 08:28:45 I 5094 0236 Worker 6 processing message 7.
AUTH 09/11/2007 08:28:45 I 5081 0236 Start RQ1027, client 50 (127.0.0.1)
The user PHD is well defined in the AD and again, it works with PEAP. (And with certif. but with the local DB only)
Phil.
09-12-2007 06:37 AM
What kind of comparison are we doing,
Certificate SAN Comparison, Or
Certificate CN Comparison, Or
Certificate Binary Comparison.
Or all of the above, if all of the above, then try with CN or SAN alone,
Regards,
Prem
09-12-2007 07:36 AM
Good idea,
unfortunately I already tried this config except for the bin but i don't have a bin certificate in the AD.
Phil.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: