I'm just evaluating ACS 5.1 for the first time. I'm trying to use EAP-TLS for machine authentication, and use AD to look up group membership for Computer Accounts to determine authorization.
The problem I'm having is that ACS is authenticating the certificate ok, but not finding the account in AD because it is searching for a User account rather than a machine account:
Evaluating Identity Policy
15006 Matched Default Rule
22037 Authentication Passed
22023 Proceed to attribute retrieval
24432 Looking up user in Active Directory - CP-7925G-SEP002333415D2B
24412 User not found in Active Directory
22016 Identity sequence completed iterating the IDStores
I have an Identity sequence that uses the Certificate CN to then get the attributes and groups from AD.
How does ACS decide if it should search for a User or Machine account based on the incoming RADIUS request or cert?... And how can I configure it to search for a Computer account instead?
This is a dummy AD computer account to authorize IP Phones. If I create a User account with the CN of the cert then everything works fine, but I wish to use a computer account for other reasons. Plus I will soon need to use Computer accounts when I'm authenticating proper windows clients that are domain members.
From the snippet you posted, it doesn't seem like a machine authentication. It is a request from a 7925 phone which sends its mac address ( CP-7925G-SEP002333415D2B is what we may find in the cert issued to that phone ) . Do you know the container for the phones on the AD ? I dont think phones usually are placed under the domain computers container.
BTW, if it is a windows machine auth it usually comes as host\machine.domain where the host\ keyword is what tells the acs that the request is for machine auth. Try configuring your supplicant to do machine auth and see how it goes.
The Computer account for the 7925 is just located in a custom OU in AD. We want to use this account for authorization only. Basically so that we can allow Windows and non-windows clients to connect to our WLANs, but have all of the authorization done within AD group membership.
That's interesting about the host\machine.domain format. Would I be correct in thinking the "host/" part is already in the original EAP message from the client, or added somewhere along the way, perhaps by the wireless lan controller?
Do you know if there's a way to configure the 7925 to send in this format? After all, it's a host that im authenticating, not a user...
I've had this working on ACS4.2, but only using LDAP for the attribute lookup - and LDAP doesn't care about host vs user. I suppose I could do the same in ACS 5.1 using ldap but would prefer to use the AD integration,
The windows machine and the supplicants know to add the 'host\' and it is part of the EAP message. If you are doing EAP-TLS, having the phone cert issued to 'host\SEP...... ' may help but I am not sure as I haven't done something like this before. Moreover, you can still achieve what you are looking for by treating this as user auth and I am not sure about the rationale behind wanting the acs to treat it as machine auth ?
Yes I understand it will work with a User account in AD - I have this configured for one of the phones at the moment for testing and it works fine. The problem is that we already have all the accounts in AD as computer accounts, and all of the certs deployed. We were using LDAP integration with AD in ACS 4.2 and this worked fine becuase LDAP does not distinguish between object types unless you tell it to with filters. And we used computer accounts rather than user accounts becuase the phones are computers... not users.
I guess my options are to either use LDAP instead of the native AD integration in ACS 5.1 or to get all of our 7925 computer accounts recreated as user accounts using a script.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :