Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1432
Views
0
Helpful
6
Replies

ISE 1.2 EAP-TLS and AD authentication

Aaron Street
Level 1
Level 1

‎03-07-2014 06:43 AM - edited ‎03-10-2019 09:30 PM

Hi,

I am sure I have had this working but Just cant get it to now.

So I have a Computer that has a Certificate on it with the SAN - princible name = to 12345@mydomain.com. This is an auo enroled Cert from my AD.

My Authentication profile says

IF the SSID (called-station) contianes eduroam and Princible name containes @mydomain.com then user a certification authentication profile. (see attachemnt below) 

Then my authorization profile says

if active directoy group = "Domian computers" then allow access.

When my computer trys to join it passes the certificate test, but when it gets to the AD group is get the below.

24433          Looking up machine in Active Directory - FY8FCT1$@mydomain.ac.uk

24492          Machine authentication against Active Directory has failed

22059          The advanced option that is configured for process failure is used

22062          The 'Drop' advanced option is configured in case of a failed authentication request

But I know my machine is in AD? What do i need to do to get the PC to use EAP-TLS to authenicate and AD group to authorize?

Cheers

Labels:
Preview file
13 KB
0 Helpful
6 Replies 6

jj27
Spotlight
Spotlight

‎03-07-2014 07:02 AM

On Admin->Identity Management->External Identity Sources->Active Directory->Advanced Settings tab do you have enable machine authentications checkbox selected?

0 Helpful

Aaron Street
Level 1
Level 1
In response to jj27

‎03-07-2014 07:05 AM

Hi,

yep looks like it.

0 Helpful

jj27
Spotlight
Spotlight
In response to Aaron Street

‎03-07-2014 07:06 AM

Can you post a screenshot of your relevant Authentication and Authorization policy settings?

0 Helpful

Aaron Street
Level 1
Level 1
In response to jj27

‎03-07-2014 07:18 AM

Authen.png

This accepts all requsts to one SSID and then as you can see if it is EAP TLS uses Cert store (see below), other wise AH

Authorization.png

This jsut says if AD Group = /user/domainComputer allow full access (simple rule)

cert store.png

0 Helpful

jj27
Spotlight
Spotlight
In response to Aaron Street

‎03-07-2014 07:44 AM

Perhaps try using the "common name" subject attribute not the "other name" subject attribute.  In the past, I've used common name for my deployments and it had worked.  I also configure it a little differently by configuring an identity source sequence for AD then local with the certificate profile selected. Not saying my way is the right way, just saying how I had achieved success in the past.

0 Helpful

Aaron Street
Level 1
Level 1
In response to jj27

‎03-07-2014 07:56 AM

Trouble is i need the machine to use the "princible name" for authentication. My username must be in the formate

xxx@domain.com

0 Helpful
Customers Also Viewed These Support Documents