Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE AD Lookup fails

I have a problem with an AD lookup which is driving me nuts.

We are using maschine certificates for authentication and AD-groups for authorization policies.

We don't have any problems with Windows devices.

Now we are trying to include an Apple OS X device (native supplicant) and it doesn't work.

The certificates validation is successfull but afterwards the ISE tries an AD lookup for a user with the maschine name instead of a maschine lookup.

The only difference in the radius request ist the radius-username.

In case of Windows it's like host/maschine and in case of OS X the host is missing.

So my guess is that the host/ part is needed by ISE to recongnize the request as a maschine authentication.

The problem ist that I can't find a possibility to force the OS X supplicant to add this part.

Can anyone give me a hint how to configure the OS X supplicant correctly?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ISE AD Lookup fails

The issue is due to the Windows client prepends a "host/" in front of the name on the certificate and the Macintosh client does not. This is known issue with MAC clients when performing machine authentication with eap-tls.

One of my colleague created a doc for the same, please review the doc and check if it helps.

https://supportforums.cisco.com/docs/DOC-15477

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
3 REPLIES
Cisco Employee

ISE AD Lookup fails

The issue is due to the Windows client prepends a "host/" in front of the name on the certificate and the Macintosh client does not. This is known issue with MAC clients when performing machine authentication with eap-tls.

One of my colleague created a doc for the same, please review the doc and check if it helps.

https://supportforums.cisco.com/docs/DOC-15477

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

ISE AD Lookup fails

That solved the problem.

Thanks a lot.

Cisco Employee

ISE AD Lookup fails

Your Welcome

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
166
Views
10
Helpful
3
Replies
CreatePlease to create content