ACS 3.3 for windows - Win AD and eap-tls problem

philippe.denebourg · ‎09-06-2007

Hi,

I have a problem with an ACS to authenticate users with certificate on MS AD.

Working things:

PEAP authentication with the MS AD;

EAP-TLS authentication with the local DB.

Not working things:

EAP-TLS authentication with MS AD.

Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.

Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.

So, why it's not working with the combination EAP-TLS and MS AD.

I receive the error 'External DB Account Restriction'

Thanks for your help.

scadora · ‎09-07-2007

What kind of certificate comparison do you have configured for TLS in ACS? For example, if you have SAN comparison, then check that the Subject Alternative Name in the certificate exists as a username in AD. The SAN may be different from the username that is sent in the MSCHAPv2 portion of PEAP.

Shelly

philippe.denebourg · ‎09-10-2007

I tried all options and I also tried a certificate with a cn equal to the user account and user name. I still have the same problem.

Premdeep Banga · ‎09-08-2007

Hi,

Set ACS to debugging level from,

System Configuration > Service Control > Level of Detail - Full > Restart.

Then do one test authentication using Windows for EAP-TLS.

And get the file Auth.log and RDS.log from directory.

\CSAuth\Logs

\CSRadius\Logs

Above logs will give you complete picture, as why EAP-TLS with Windows is failing.

Regards,

Prem

philippe.denebourg · ‎09-10-2007

Thanks for your response.

I followed your advice and it seems that the problem is between the MS AD and the ACS but I'm not sure of my log interpretation.

I join the log file.

If somebody has any idea he is welcome!

Thnaks for your answer.

Premdeep Banga · ‎09-11-2007

Hi,

This is what is interesting,

AuthenProcessResponse: process response for 'phd' against Windows Database

Unknown User 'phd' was not authenticated

Done RQ1027, client 50, status -2125

The field that is being picked from certificate has the value 'phd', check you check which field is it.

And was the logging at full?, I think something is missing in the logs.

Lets do a sanity check, and go through following link again,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml

Regards,

Prem

philippe.denebourg · ‎09-12-2007

Hi,

I think that the message 'unknow user' means that the user is not in the local DB and then the system has to check the windows AD.

This message seems to be the result of sevral previous failed authentication to the AD as in the previous message:

AUTH 09/11/2007 08:28:45 I 0709 0236 AuthenProcessResponse: process response for 'phd' against Windows Database

AUTH 09/11/2007 08:28:45 I 5081 0236 Done RQ1027, client 50, status -2046

AUTH 09/11/2007 08:28:45 I 5094 0236 Worker 6 processing message 7.

AUTH 09/11/2007 08:28:45 I 5081 0236 Start RQ1027, client 50 (127.0.0.1)

The user PHD is well defined in the AD and again, it works with PEAP. (And with certif. but with the local DB only)

Phil.

Premdeep Banga · ‎09-12-2007

What kind of comparison are we doing,

Certificate SAN Comparison, Or

Certificate CN Comparison, Or

Certificate Binary Comparison.

Or all of the above, if all of the above, then try with CN or SAN alone,

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SCAuth.html#wp326018

Regards,

Prem

philippe.denebourg · ‎09-12-2007

Good idea,

unfortunately I already tried this config except for the bin but i don't have a bin certificate in the AD.

Phil.