ACS40, EAP-TLS against Windows AD

Unanswered Question
Jul 16th, 2008
User Badges:

We deployed ACS 4.0 (NOT ACS SE) and WLAN in our corporate network.


Our ultimate goal is to have each staff authenticated against our AD via ACS using EAP-TLS.


We managed to get PEAP working successfully, but failed with EAP-TLS.


From the log we noticed that when PEAP is used, ACS forward username to AD in domain-qualified format (domain\user),and authentication is successful.

When EAP-TLS is used, ACS forward username to AD in UPN format ([email protected]), and auth.log received "External DB [NTAuthenDLL.dll]: cannot get user account controler for [email protected]

External DB [NTAuthenDLL.dll]: user [email protected] was not found

Unknown user '[email protected]' was not authenticated" . Any workaround for this?


Can anyone throw some light here?


Thank you.

Lahki


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Thu, 07/17/2008 - 11:12
User Badges:
  • Red, 2250 points or more

Lahki,

Please see this link,


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SCAuth.html#wp326018


To permit user access to the network or computer authenticating with EAP-TLS, ACS must verify that the claimed identity (presented in the EAP Identity response) corresponds to the certificate that the user presents. ACS can accomplish this verification in three ways:


•Certificate SAN Comparison-Based on the name in the Subject Alternative Name field in the user certificate.


•Certificate CN Comparison-Based on the name in the Subject Common Name field in the user certificate.


•Certificate Binary Comparison-Based on a binary comparison between the user certificate in the user object in the LDAP server or Active Directory and the certificate that the user presents during EAP-TLS authentication. This comparison method cannot be used to authenticate users who are in an ODBC external user database (ACS for Windows only).



Regards,

~JG

Lucky8888 Thu, 07/17/2008 - 16:50
User Badges:

JG,


Thanks the response.

We are using Certificate SAN Comparison, and the SAN field in the user certificate matches the user account in AD.


Is there anyone in here who used EAP-TLS with ACS against external Windows database and succeeded? Please throw some light in here. Many thanks in advance.

Actions

This Discussion