Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ACS 5.3 EAP-TLS Machine authentication with AD - Failed with 24492

We successfully configured EAP-TLS on the ACS (5.3) for machine authentication using certificate only. I then would like ACS to check whether the machine is in a specific group in AD before permitting the access. The ACS has failed "Machine authentication against AD" code 24492 for all Windows clients, but it works for Mac machines (Yes, those Mac are joining to AD).

What we have configured so far,

- Users and Identity Stores > External Identity Stores > Active Directory

     - Enabled Machine authentication

     - Select Group name that machines reside

- Users and Identity Stores > External Identity Stores > Ceritificate Authentication Profile, Principal Username X509: Subject Alternative Name

- Access Policies > Access Services > [ServiceA], Allowed Protocols, Enabled Process Host Lookup, Allow EAP-TLS

- Access Policies > Access Services > [ServiceA]

     - Create Identity rule to match the Subject and result the Authentication Profile created above then AD

     - Create Authorization rule to match the AD group created above

The ACS returned

RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed

As far as I can tell, it hit the identity rule, extracted the SAN, but failed to look up on AD. The above configuration works for Mac machines.

Can anyone shed some light on this?

Thanks

3 REPLIES

Re: ACS 5.3 EAP-TLS Machine authentication with AD - Failed with

Anyone?

Below are the Steps of the authentication details

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

Evaluating Service Selection Policy

15004 Matched rule

15012 Selected Access Service - Wireless AD Authentication

11507 Extracted EAP-Response/Identity

12500 Prepared EAP-Request proposing EAP-TLS with challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated

12800 Extracted first TLS record; TLS handshake started.

12805 Extracted TLS ClientHello message.

12806 Prepared TLS ServerHello message.

12807 Prepared TLS Certificate message.

12809 Prepared TLS CertificateRequest message.

12505 Prepared EAP-Request with another EAP-TLS challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12504 Extracted EAP-Response containing EAP-TLS challenge-response

12505 Prepared EAP-Request with another EAP-TLS challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12504 Extracted EAP-Response containing EAP-TLS challenge-response

12505 Prepared EAP-Request with another EAP-TLS challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12504 Extracted EAP-Response containing EAP-TLS challenge-response

12505 Prepared EAP-Request with another EAP-TLS challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12504 Extracted EAP-Response containing EAP-TLS challenge-response

12505 Prepared EAP-Request with another EAP-TLS challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12504 Extracted EAP-Response containing EAP-TLS challenge-response

12505 Prepared EAP-Request with another EAP-TLS challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12504 Extracted EAP-Response containing EAP-TLS challenge-response

12505 Prepared EAP-Request with another EAP-TLS challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12504 Extracted EAP-Response containing EAP-TLS challenge-response

12505 Prepared EAP-Request with another EAP-TLS challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12504 Extracted EAP-Response containing EAP-TLS challenge-response

12505 Prepared EAP-Request with another EAP-TLS challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12504 Extracted EAP-Response containing EAP-TLS challenge-response

12505 Prepared EAP-Request with another EAP-TLS challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12504 Extracted EAP-Response containing EAP-TLS challenge-response

12811 Extracted TLS Certificate message containing client certificate.

12812 Extracted TLS ClientKeyExchange message.

12813 Extracted TLS CertificateVerify message.

12804 Extracted TLS Finished message.

12801 Prepared TLS ChangeCipherSpec message.

12802 Prepared TLS Finished message.

12816 TLS handshake succeeded.

12509 EAP-TLS full handshake finished successfully

12505 Prepared EAP-Request with another EAP-TLS challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12504 Extracted EAP-Response containing EAP-TLS challenge-response

Evaluating Identity Policy

15004 Matched rule

22037 Authentication Passed

22023 Proceed to attribute retrieval

24433 Looking up machine/host in Active Directory - COMPUTERNAME$@DOMAIN

24492 Machine authentication against Active Directory has failed.

22059 The advanced option that is configured for process failure is used.

22062 The 'Drop' advanced option is configured in case of a failed authentication request.

Cisco Employee

Re: ACS 5.3 EAP-TLS Machine authentication with AD - Failed with

Is the machine authentication with eap-tls not working for Machintosh machines and working for windows machines?

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**

ACS 5.3 EAP-TLS Machine authentication with AD - Failed with 244

No. It is the other way round which is quite bizarre. It is working for Mac machines joining to the doamin, but not Windows.

554
Views
0
Helpful
3
Replies