Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 5.3 and Machine Authentication

I am using ACS 5.3. I have succesfully configured Machine Authentication for a Windows 7 laptop using EAP-TLS. The ACS is configured with an Active Directory external identity store where the Windows 7 laptop is configured as part of the domain. I'm pretty sure that the ACS was using the AD to authenticate the laptop's name because at first the authentications were failing because I had the Certificate Authentication Profile configured to look at an attribute in the client certificate that was empty. When I fixed that, the authentication suceeded.

I started doing some failure testing so I disconnected the Domain Controller from the network. Sure enough, the ACS shows the Active Directory external store is in the Disconnected State.

I then went to my Windows 7 laptop and disconnected the wireless connection and connected it again, expecting it to fail because the AD is down. But it succeeded! My Win 7 laptop is accessing the network wirelessly through a Lightweight AP and 5508 WLC. The WLAN Session Timeout was set for 30 minutes. So even with the AD disconnected, every 30 minutes, the ACS log showed a successful EAP-TLS authentication. I then changed the WLAN Session Timeout to 2 hours 10 minutes. Same thing, every 2 hours 10 minutes, a succesfull EAP-TLS authentication.   

I really don't know how the authentications are succeeding when the AD is not even connected. Is there a cache in the ACS?

Anybody have any ideas?

Thanks             

7 REPLIES
New Member

ACS 5.3 and Machine Authentication

Hi pblume,

i can't find a link to which i refer to but it sounds like the Wireless LAN Controller is caching the Authentication data, not the ACS.

Thomas

New Member

ACS 5.3 and Machine Authentication

Thomas,

Thanks for the reply. However, if the WLC was caching the authentication data, then I'm assuming that I would not see any authentications in ACS since the WLC is taking care of it. Also, the WLC Session Timeout is forcing the laptop to do a full re-authentication with the Radius server. So the re-authentication request is definitely getting to the ACS.

I've seen the behavior you're referring to with roaming and caching the encryption keys. But I don't think this is the same thing.

Thanks

Re: ACS 5.3 and Machine Authentication

In your certificate authentication profile, do you have the option to "Perform Binary Certificate Comparison..." checked. If you dont the ACS will authenticate client based on the certificate in the Trusted CA store, meaning that if the ACS has the root certificate installed and the client presents the cert signed by this CA then authentication will succed at the ACS and not with AD.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: ACS 5.3 and Machine Authentication

Tarik,

OK, you are right. I enabled that option and saw the wireless client fail (finally)!

Unfortunately, when I activate the Domain Controller, I also fail authentication with the following issues from the ACS log:

Evaluating Identity Policy

15006  Matched Default Rule

24433  Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com

24435  Machine Groups retrieval from Active Directory succeeded

24100  Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.

24483  Failed to retrieve the machine certificate from Active Directory.

22049  Binary comparison of certificates failed

22057  The advanced option that is configured for a failed authentication request is used.

22061  The 'Reject' advanced option is configured in case of a failed authentication request.

12507  EAP-TLS authentication failed

11504  Prepared EAP-Failure

11003  Returned RADIUS Access-Reject Evaluating Identity Policy
15006  Matched Default Rule
24433  Looking up machine/host in Active Directory - xxxx.xxxx.xxxx.xxx.com
24435  Machine Groups retrieval from Active Directory succeeded
24100  Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.
24483  Failed to retrieve the machine certificate from Active Directory.
22049  Binary comparison of certificates failed
22057  The advanced option that is configured for a failed authentication request is used.
22061  The 'Reject' advanced option is configured in case of a failed authentication request.
12507  EAP-TLS authentication failed
11504  Prepared EAP-Failure
11003  Returned RADIUS Access-Reject

I know it's not a Cisco ACS issue, but would you know what I need to do to allow the laptop certificate to be retrieved from the Domain Controller? I can see the certificate in the Active Directory Certificate Services "Issued Certificates" folder.

Thanks

Re: ACS 5.3 and Machine Authentication

What functional level is your domain, and what version of windows are you using for certificate authority?

Sent from Cisco Technical Support iPad App

Tarik Admani *Please rate helpful posts*
New Member

Re: ACS 5.3 and Machine Authentication

The domain functional level is Windows Server 2008 R2. The CA is on the same server.

ACS 5.3 and Machine Authentication

Hi,

See if this gives you any luck:

http://technet.microsoft.com/en-us/library/cc730861%28v=ws.10%29

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
1697
Views
0
Helpful
7
Replies