EAP-TLS and ACS 5.1 with AD

Unanswered Question
Jan 25th, 2010


I want to set up the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:

24435  Machine Groups retrieval from Active Directory succeeded

24100  Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.

24483  Failed to retrieve the machine certificate from Active Directory.

22049  Binary comparison of certificates failed

22057  The advanced option that is configured for a failed authentication request is used.

22061  The 'Reject' advanced option is configured in case of a failed authentication request.

12507  EAP-TLS authentication failed

11504  Prepared EAP-Failure

11003  Returned RADIUS Access-Reject
What ist the problem? I can't find documents how to configure this in detail.
Can some one helf me?
King regardes
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Mon, 01/25/2010 - 07:19

Hi Torsten,

Did you enable " Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Director" in acs-->Users and Identity Stores-->Local certificate-->Edit ?



t_hesse Mon, 01/25/2010 - 07:41


I can't find this point 'acs-->Users and Identity Stores-->Local certificate-->Edit ?' in my ACS-Webpage.

I have under 'Users and Identity Stores' only Certificate Authorities, Certificate Authentication Profile and Identity Store Sequences.

But I use a Certificate Authentication Profile in wich I selectet 'Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory '



Jatin Katyal Tue, 01/26/2010 - 03:26

Hi Torsten,

The option you are looking for is under system configuration:

Configuring Local Server Certificates


Under acs-->Users and Identity Stores-->Local certificate-->Edit. You can only import/configure CA certificate:

Configuring CA Certificates





Plz rate helpful posts-

t_hesse Tue, 01/26/2010 - 03:48


yes on this point I import my CA-Certifacte and bind ist to the Protocol EAP and Management Interface. (both points I can select on the edit page). That was done before I open the case. The error must be on an other Topic. But I don't no where. Would it help if I send some Hardcopys of Configpages? So please tell me which one you need.

King regardes


nhan.duong Wed, 08/11/2010 - 07:48

Hi, I am using the Certitifcate from CA server.  so binding the " Local Server Certificates" and  "CA Certificates" with the same certificate right? 

manikandan15 Wed, 04/14/2010 - 01:09

Hi These,

I installed cisco ACS 5.1 version in Vmware server successfully. Now I am trying to join  this ACS server into my Windows Active Directory ( 2008 ). While trying the same i am unable to join this active directory.

Error which i got while trying the same as " Can not resolve network address "

I already verified with Domain name, Dns ip address and domain name resolve and network reachailbility and access permission with rights to join active directory..

Please help in this to complete the activity and let me now how you done this with what procedure do you followed.



Jagdeep Gambhir Wed, 04/14/2010 - 06:32

Please make sure that ACS and AD are on same timezone. From ACS cli issue command "show clock"

Timezone is to be configured manually on acs. So Time and timezone needs to be same.



Do rate helpful posts

manikandan15 Fri, 04/16/2010 - 23:58

Hi  Jagdeep,

Thanks alot and i find the problem. Its actually in AD timezone is mentioned wrong thats why i am not able to join in my AD.

Yea now I am able to join my ACS into AD without any issues. One more think, after joined to AD my ACS will showing wrong timing while checking the AAA logs. But, in ACS GUI as weel as CLI it showing correct timing only.

Please suggest me in this and let me what could the reason for this problem.



glearmon Wed, 08/10/2011 - 21:01

Wouldn't there be a 'clock skew' error if the timezone's were different ?

nickjacobs Thu, 07/08/2010 - 20:21

Hi Torsten,

I am having the same problem - did you ever get this resolved? Doing local ACS cert auth (as part of the AD certficate chain setup) works for machine auth instead of binary comparison against cert pulled from AD , but I need the AD integrated features to check dial in properties etc - and when I have binary comparison on, user auth works and machine auth gets this problem you describe.



nickjacobs Tue, 07/13/2010 - 18:47
There is an attribute in the machine certificate template in AD for issueing of machine certificates - there is a check box to publish the certificate to AD - this was not checked and is needed to be. So basically examining a cert in AD for a user the userCertificate attribute was populated with a binary cert, but under a machine object the userCertificate attribute was empty - hence ACS couldn't find the attribute to binary compare with when it looked up the machine account.
A matter of ticking a checkbox in AD will fix this.
theeaglelb Mon, 10/31/2011 - 13:14

I am using ACS 5.3 and i had the same error "Binary comparison of certificates failed" .

The issue was that in AD the group Cert Publisher was not added to the users which mean that the Certificate was not present in AD. After adding the users to this group and delete and request a new cert for the user, all works fine


This Discussion