08-14-2013 08:12 AM - edited 03-10-2019 08:46 PM
Hi.
I'm trying to get 802.1x certificate authentication up and running. I want to use both user and machine certificate.
On "vanilla" v1.1.4, I got an error message with user certificate. After some reading it seems support for AD 2012 was added in patch 2.
So I installed patch 4, and user certificate authentication works!
But I still have problems with machine certificate authentication.
I get these errors:
Machine authentication against Active Directory has failed.
Check whether the machine's account is present and enabled in Active Directory. Also, check whether the Active Directory is reachable.
But the machine is indeed both present and enabled in AD.
And AD is working too. I know this from the user certificate authentication, because binary comparison is enabled:
24432 Looking up user in Active Directory - Dal@gaasdal.net |
24469 The user certificate was retrieved from Active Directory successfully |
22054 Binary comparison of certificates succeeded |
22037 Authentication Passed |
12506 EAP-TLS authentication succeeded |
So is Windows Server 2012 AD supported for machine authentication? Or do I need to go go v1.2 for that?
Or it could just be something wrong with my setup
Thanks.
Solved! Go to Solution.
08-14-2013 01:02 PM
HI,
Support for 2012 is official in 1.2, the release notes lists this as a new feature.
http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html#wp376082
Tarik Admani
*Please rate helpful posts*
08-14-2013 08:51 AM
can't remember clearly but 1.1.4 may not support 2012 AD.
1.1.3 with latest patch should do... please check release notes...
1.2 should support it.
Sent from Cisco Technical Support iPad App
08-14-2013 12:58 PM
Hi, and thank you for answering.
The release notes (for both 1.1.3 and 1.1.4 says:
CSCug98513: Integrate components to support AD 2012 or mixed mode (2008)
Centrify version is upgraded to support Active Directory 2012 and mixed 2008/2012 environments.
That's all that is mentioned about 2012 AD.
Not sure what it means, though.
08-14-2013 01:02 PM
HI,
Support for 2012 is official in 1.2, the release notes lists this as a new feature.
http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html#wp376082
Tarik Admani
*Please rate helpful posts*
08-15-2013 01:22 PM
Yes.
I upgraded to v1.2, and my configuration worked right away.
Thank you.
08-14-2013 05:43 PM
Please look in the chapter 5, information to configure AD & debugs are mention.
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide