EAP-TLS and ACS 5.1 with AD

Unanswered Question
Jan 25th, 2010
User Badges:

Hello,


I want to set up the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:



24435  Machine Groups retrieval from Active Directory succeeded



24100  Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.



24483  Failed to retrieve the machine certificate from Active Directory.



22049  Binary comparison of certificates failed



22057  The advanced option that is configured for a failed authentication request is used.



22061  The 'Reject' advanced option is configured in case of a failed authentication request.



12507  EAP-TLS authentication failed



11504  Prepared EAP-Failure



11003  Returned RADIUS Access-Reject
What ist the problem? I can't find documents how to configure this in detail.
Can some one helf me?
King regardes
Torsten
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Mon, 01/25/2010 - 07:19
User Badges:
  • Red, 2250 points or more

Hi Torsten,

Did you enable " Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Director" in acs-->Users and Identity Stores-->Local certificate-->Edit ?




Regards,

~JG


t_hesse Mon, 01/25/2010 - 07:41
User Badges:

Hi,

I can't find this point 'acs-->Users and Identity Stores-->Local certificate-->Edit ?' in my ACS-Webpage.

I have under 'Users and Identity Stores' only Certificate Authorities, Certificate Authentication Profile and Identity Store Sequences.

But I use a Certificate Authentication Profile in wich I selectet 'Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory '


Regardes

Torsten

Jatin Katyal Tue, 01/26/2010 - 03:26
User Badges:
  • Cisco Employee,

Hi Torsten,


The option you are looking for is under system configuration:


Configuring Local Server Certificates


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/admin_config.html#wp1052640


Under acs-->Users and Identity Stores-->Local certificate-->Edit. You can only import/configure CA certificate:

Configuring CA Certificates


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1158666


HTH


Regards,

JK


Plz rate helpful posts-

t_hesse Tue, 01/26/2010 - 03:48
User Badges:

Hi,


yes on this point I import my CA-Certifacte and bind ist to the Protocol EAP and Management Interface. (both points I can select on the edit page). That was done before I open the case. The error must be on an other Topic. But I don't no where. Would it help if I send some Hardcopys of Configpages? So please tell me which one you need.


King regardes

Torsten

nhan.duong Wed, 08/11/2010 - 07:48
User Badges:

Hi, I am using the Certitifcate from CA server.  so binding the " Local Server Certificates" and  "CA Certificates" with the same certificate right? 

manikandan15 Wed, 04/14/2010 - 01:09
User Badges:

Hi These,


I installed cisco ACS 5.1 version in Vmware server successfully. Now I am trying to join  this ACS server into my Windows Active Directory ( 2008 ). While trying the same i am unable to join this active directory.


Error which i got while trying the same as " Can not resolve network address "


I already verified with Domain name, Dns ip address and domain name resolve and network reachailbility and access permission with rights to join active directory..


Please help in this to complete the activity and let me now how you done this with what procedure do you followed.


Regards

Manikandan

Jagdeep Gambhir Wed, 04/14/2010 - 06:32
User Badges:
  • Red, 2250 points or more

Please make sure that ACS and AD are on same timezone. From ACS cli issue command "show clock"



Timezone is to be configured manually on acs. So Time and timezone needs to be same.



Regards,

~JG


Do rate helpful posts

manikandan15 Fri, 04/16/2010 - 23:58
User Badges:

Hi  Jagdeep,


Thanks alot and i find the problem. Its actually in AD timezone is mentioned wrong thats why i am not able to join in my AD.


Yea now I am able to join my ACS into AD without any issues. One more think, after joined to AD my ACS will showing wrong timing while checking the AAA logs. But, in ACS GUI as weel as CLI it showing correct timing only.


Please suggest me in this and let me what could the reason for this problem.


Regards

Manikandan

glearmon Wed, 08/10/2011 - 21:01
User Badges:

Wouldn't there be a 'clock skew' error if the timezone's were different ?

nickjacobs Thu, 07/08/2010 - 20:21
User Badges:

Hi Torsten,


I am having the same problem - did you ever get this resolved? Doing local ACS cert auth (as part of the AD certficate chain setup) works for machine auth instead of binary comparison against cert pulled from AD , but I need the AD integrated features to check dial in properties etc - and when I have binary comparison on, user auth works and machine auth gets this problem you describe.


Cheers,

Nick

nickjacobs Tue, 07/13/2010 - 18:47
User Badges:
There is an attribute in the machine certificate template in AD for issueing of machine certificates - there is a check box to publish the certificate to AD - this was not checked and is needed to be. So basically examining a cert in AD for a user the userCertificate attribute was populated with a binary cert, but under a machine object the userCertificate attribute was empty - hence ACS couldn't find the attribute to binary compare with when it looked up the machine account.
A matter of ticking a checkbox in AD will fix this.
theeaglelb Mon, 10/31/2011 - 13:14
User Badges:

I am using ACS 5.3 and i had the same error "Binary comparison of certificates failed" .

The issue was that in AD the group Cert Publisher was not added to the users which mean that the Certificate was not present in AD. After adding the users to this group and delete and request a new cert for the user, all works fine

Actions

This Discussion