Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1042
Views
0
Helpful
2
Replies

ISE; machine based dot1x authentication not working

patrick.kofler
Level 1
Level 1

‎12-15-2011 01:51 AM - edited ‎03-10-2019 06:38 PM

Hi there,

I'm currently trying out dot1x authentication with MDA. The phone is currently authenticated via MAB. I succeeded to do the same with a Win7 workstation, but now I have a problem with true dot1x auth. Whenever the client tries to authenticate to the ISE it is using the notorious "host/" prefix. I read in the ACS 5.2 user guide that there is an option to crop it. I tried to find the same feature in the ISE, but it seems there is none.

I have the authentication policy configured to use a certificate authentication profile as identity source when the method is dot1x without any additional conditions.

In this profile I tried several options, including the common name, subject, subject alternative name. Nothing helped.

Does anybody have a tip on how to solve this?

Thanks in advance

Labels:
0 Helpful
2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

‎12-15-2011 09:25 PM

Are you using the option "

You will have to create an LDAP instance to make this work, after you configure the ldap instance then you can go to Directory Organization > select "Strip start of subject name up to the last occurrence of the separator" and change the default to \.

thanks,

Tarik Admani

0 Helpful

patrick.kofler
Level 1
Level 1
In response to Tarik Admani

‎12-16-2011 12:30 AM

If I understood correctly I don't need to create an external identity source when using the Certificate Authentication Profile feature.

This is what I got from the documentation:

"Certificate authentication profiles are used in  authentication policies for certificate-based authentications in place  of identity sources to verify the authenticity of the user."

I intend to use machine based authentication without contacting an external identity source.

I also ensured the root CA certificate is selected to be used for EAP-TLS authentication.

This brings me to another question.

If the CA issuing machine or user certificates is itself an intermediate CA do I have to install a chained certificate (intermediade CA+root CA) in the ISE or both CA certificates separately?

Thanks in advance

Regards,

Patrick

0 Helpful
Customers Also Viewed These Support Documents