Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS WLAN Machine Auth with AD problem

Hi,

I'm just evaluating ACS 5.1 for the first time. I'm trying to use EAP-TLS for machine authentication, and use AD to look up group membership for Computer Accounts to determine authorization.

The problem I'm having is that ACS is authenticating the certificate ok, but not finding the account in AD because it is searching for a User account rather than a machine account:

Evaluating Identity Policy
15006  Matched Default Rule
22037  Authentication Passed
22023  Proceed to attribute retrieval
24432  Looking up user in Active Directory - CP-7925G-SEP002333415D2B
24412  User not found in Active Directory
22016  Identity sequence completed iterating the IDStores


I have an Identity sequence that uses the Certificate CN to then get the attributes and groups from AD.

How does ACS decide if it should search for a User or Machine account based on the incoming RADIUS request or cert?... And how can I configure it to search for a Computer account instead?

This is a dummy AD computer account to authorize IP Phones. If I create a User account with the CN of the cert then everything works fine, but I wish to use a computer account for other reasons. Plus I will soon need to use Computer accounts when I'm authenticating proper windows clients that are domain members.

Thanks,

Peter

Everyone's tags (5)
4 REPLIES
Cisco Employee

Re: ACS WLAN Machine Auth with AD problem

Hi Peter,

From the snippet you posted, it doesn't seem like a machine authentication. It is a request from a 7925 phone which sends its mac address (  CP-7925G-SEP002333415D2B is what we may find in the cert issued to that phone ) . Do you know the container for the phones on the AD ? I dont think phones usually are placed under the domain computers container.

BTW, if it is a windows machine auth it usually comes as host\machine.domain    where the host\ keyword is what tells the acs that the request is for machine auth. Try configuring your supplicant to do machine auth and see how it goes.

Thanks,

Mani

New Member

Re: ACS WLAN Machine Auth with AD problem

Hi Mani,


Thanks for the reply.

The Computer account for the 7925 is just located in a custom OU in AD. We want to use this account for authorization only. Basically so that we can allow Windows and non-windows clients to connect to our WLANs, but have all of the authorization done within AD group membership.

That's interesting about the host\machine.domain format. Would I be correct in thinking the "host/" part is already in the original EAP message from the client, or added somewhere along the way, perhaps by the wireless lan controller?


Do you know if there's a way to configure the 7925 to send in this format? After all, it's a host that im authenticating, not a user...

I've had this working on ACS4.2, but only using LDAP for the attribute lookup - and LDAP doesn't care about host vs user. I suppose I could do the same in ACS 5.1 using ldap but would prefer to use the AD integration,


Thanks,

Peter

Cisco Employee

Re: ACS WLAN Machine Auth with AD problem

Hi Peter,

The windows machine and the supplicants know to add the 'host\'  and it is part of the EAP message. If you are doing EAP-TLS, having the phone cert issued to 'host\SEP...... ' may help but I am not sure as I haven't done something like this before. Moreover, you can still achieve what you are looking for by treating this as user auth and I am not sure about the rationale behind wanting the acs to treat it as machine auth ?

Thanks,

Mani

New Member

Re: ACS WLAN Machine Auth with AD problem

Hi Mani,

Yes I understand it will work with a User account in AD - I have this configured for one of the phones at the moment for testing and it works fine. The problem is that we already have all the accounts in AD as computer accounts, and all of the certs deployed. We were using LDAP integration with AD in ACS 4.2 and this worked fine becuase LDAP does not distinguish between object types unless you tell it to with filters. And we used computer accounts rather than user accounts becuase the phones are computers... not users.

I guess my options are to either use LDAP instead of the native AD integration in ACS 5.1 or to get all of our 7925 computer accounts recreated as user accounts using a script.

Thanks for your help.

Peter

1054
Views
4
Helpful
4
Replies
CreatePlease login to create content