I'm just evaluating ACS 5.1 for the first time. I'm trying to use EAP-TLS for machine authentication, and use AD to look up group membership for Computer Accounts to determine authorization.
The problem I'm having is that ACS is authenticating the certificate ok, but not finding the account in AD because it is searching for a User account rather than a machine account:
Evaluating Identity Policy
15006 Matched Default Rule
22037 Authentication Passed
22023 Proceed to attribute retrieval
24432 Looking up user in Active Directory - CP-7925G-SEP002333415D2B
24412 User not found in Active Directory
22016 Identity sequence completed iterating the IDStores
I have an Identity sequence that uses the Certificate CN to then get the attributes and groups from AD.
How does ACS decide if it should search for a User or Machine account based on the incoming RADIUS request or cert?... And how can I configure it to search for a Computer account instead?
This is a dummy AD computer account to authorize IP Phones. If I create a User account with the CN of the cert then everything works fine, but I wish to use a computer account for other reasons. Plus I will soon need to use Computer accounts when I'm authenticating proper windows clients that are domain members.