cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
530
Views
0
Helpful
3
Replies

ACS40, EAP-TLS against Windows AD

Lucky8888
Level 1
Level 1

We deployed ACS 4.0 (NOT ACS SE) and WLAN in our corporate network.

Our ultimate goal is to have each staff authenticated against our AD via ACS using EAP-TLS.

We managed to get PEAP working successfully, but failed with EAP-TLS.

From the log we noticed that when PEAP is used, ACS forward username to AD in domain-qualified format (domain\user),and authentication is successful.

When EAP-TLS is used, ACS forward username to AD in UPN format (user@domain), and auth.log received "External DB [NTAuthenDLL.dll]: cannot get user account controler for user@domain

External DB [NTAuthenDLL.dll]: user user@domain was not found

Unknown user 'user@doamin' was not authenticated" . Any workaround for this?

Can anyone throw some light here?

Thank you.

Lahki

3 Replies 3

Jagdeep Gambhir
Level 10
Level 10

Lahki,

Please see this link,

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SCAuth.html#wp326018

To permit user access to the network or computer authenticating with EAP-TLS, ACS must verify that the claimed identity (presented in the EAP Identity response) corresponds to the certificate that the user presents. ACS can accomplish this verification in three ways:

•Certificate SAN Comparison-Based on the name in the Subject Alternative Name field in the user certificate.

•Certificate CN Comparison-Based on the name in the Subject Common Name field in the user certificate.

•Certificate Binary Comparison-Based on a binary comparison between the user certificate in the user object in the LDAP server or Active Directory and the certificate that the user presents during EAP-TLS authentication. This comparison method cannot be used to authenticate users who are in an ODBC external user database (ACS for Windows only).

Regards,

~JG

JG,

Thanks the response.

We are using Certificate SAN Comparison, and the SAN field in the user certificate matches the user account in AD.

Is there anyone in here who used EAP-TLS with ACS against external Windows database and succeeded? Please throw some light in here. Many thanks in advance.

Hi JG,

We managed to get both PEAP and EAP-TLS working with ACS authenticating against windows AD.

http://www.cisco.com/en/US/ts/fn/200/fn20228.html

Regards

Lahki

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: