Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
740
Views
0
Helpful
5
Replies

ISE 1.1.4 and Windows 2012 AD

Go to solution
dal
Level 3
Level 3

‎08-14-2013 08:12 AM - edited ‎03-10-2019 08:46 PM

Hi.

I'm trying to get 802.1x certificate authentication up and running. I want to use both user and machine certificate.

On "vanilla" v1.1.4, I got an error message with user certificate. After some reading it seems support for AD 2012 was added in patch 2.

So I installed patch 4, and user certificate authentication works!

But I still have problems with machine certificate authentication.

I get these errors:

Machine authentication against Active Directory has failed.

Check whether the machine's account is present and enabled in Active  Directory. Also, check whether the Active Directory is reachable.

But the machine is indeed both present and enabled in AD.

And AD is working too. I know this from the user certificate authentication, because binary comparison is enabled:

24432  Looking up user in Active Directory - Dal@gaasdal.net

24469  The user certificate was retrieved from Active Directory successfully

22054  Binary comparison of certificates succeeded

22037  Authentication Passed

12506  EAP-TLS authentication succeeded

So is Windows Server 2012 AD supported for machine authentication? Or do I need to go go v1.2 for that?

Or it could just be something wrong with my setup

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to dal

‎08-14-2013 01:02 PM

HI,

Support for 2012 is official in 1.2, the release notes lists this as a new feature.

http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html#wp376082

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Shaoqin Li
Level 3
Level 3

‎08-14-2013 08:51 AM

can't remember clearly but 1.1.4 may not support 2012 AD.

1.1.3 with latest patch should do... please check release notes...

1.2 should support it.
Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
dal
Level 3
Level 3
In response to Shaoqin Li

‎08-14-2013 12:58 PM

Hi, and thank you for answering.

The release notes (for both 1.1.3 and 1.1.4 says:

CSCug98513: Integrate components to support AD 2012 or mixed mode (2008)

Centrify version is upgraded to support Active Directory 2012 and mixed 2008/2012 environments.

That's all that is mentioned about 2012 AD.

Not sure what it means, though.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to dal

‎08-14-2013 01:02 PM

HI,

Support for 2012 is official in 1.2, the release notes lists this as a new feature.

http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html#wp376082

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
dal
Level 3
Level 3
In response to Tarik Admani

‎08-15-2013 01:22 PM

Yes.

I upgraded to v1.2, and my configuration worked right away.

Thank you.

0 Helpful

Go to solution
blenka
Level 3
Level 3

‎08-14-2013 05:43 PM

Please look in the chapter 5, information to configure AD & debugs are mention.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf

0 Helpful
Customers Also Viewed These Support Documents