07-16-2008 06:14 PM - edited 03-10-2019 03:58 PM
We deployed ACS 4.0 (NOT ACS SE) and WLAN in our corporate network.
Our ultimate goal is to have each staff authenticated against our AD via ACS using EAP-TLS.
We managed to get PEAP working successfully, but failed with EAP-TLS.
From the log we noticed that when PEAP is used, ACS forward username to AD in domain-qualified format (domain\user),and authentication is successful.
When EAP-TLS is used, ACS forward username to AD in UPN format (user@domain), and auth.log received "External DB [NTAuthenDLL.dll]: cannot get user account controler for user@domain
External DB [NTAuthenDLL.dll]: user user@domain was not found
Unknown user 'user@doamin' was not authenticated" . Any workaround for this?
Can anyone throw some light here?
Thank you.
Lahki
07-17-2008 11:12 AM
Lahki,
Please see this link,
To permit user access to the network or computer authenticating with EAP-TLS, ACS must verify that the claimed identity (presented in the EAP Identity response) corresponds to the certificate that the user presents. ACS can accomplish this verification in three ways:
â¢Certificate SAN Comparison-Based on the name in the Subject Alternative Name field in the user certificate.
â¢Certificate CN Comparison-Based on the name in the Subject Common Name field in the user certificate.
â¢Certificate Binary Comparison-Based on a binary comparison between the user certificate in the user object in the LDAP server or Active Directory and the certificate that the user presents during EAP-TLS authentication. This comparison method cannot be used to authenticate users who are in an ODBC external user database (ACS for Windows only).
Regards,
~JG
07-17-2008 04:50 PM
JG,
Thanks the response.
We are using Certificate SAN Comparison, and the SAN field in the user certificate matches the user account in AD.
Is there anyone in here who used EAP-TLS with ACS against external Windows database and succeeded? Please throw some light in here. Many thanks in advance.
07-20-2008 03:49 PM
Hi JG,
We managed to get both PEAP and EAP-TLS working with ACS authenticating against windows AD.
http://www.cisco.com/en/US/ts/fn/200/fn20228.html
Regards
Lahki
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide