Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE; machine based dot1x authentication not working

Hi there,

I'm currently trying out dot1x authentication with MDA. The phone is currently authenticated via MAB. I succeeded to do the same with a Win7 workstation, but now I have a problem with true dot1x auth. Whenever the client tries to authenticate to the ISE it is using the notorious "host/" prefix. I read in the ACS 5.2 user guide that there is an option to crop it. I tried to find the same feature in the ISE, but it seems there is none.

I have the authentication policy configured to use a certificate authentication profile as identity source when the method is dot1x without any additional conditions.

In this profile I tried several options, including the common name, subject, subject alternative name. Nothing helped.

Does anybody have a tip on how to solve this?

Thanks in advance

  • AAA Identity and NAC

ISE; machine based dot1x authentication not working

Are you using the option "

You will have to create an LDAP instance to make this work, after you configure the ldap instance then you can go to Directory Organization > select "Strip start of subject name up to the last occurrence of the separator" and change the default to \.


Tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

ISE; machine based dot1x authentication not working

If I understood correctly I don't need to create an external identity source when using the Certificate Authentication Profile feature.

This is what I got from the documentation:

"Certificate authentication profiles are used in  authentication policies for certificate-based authentications in place  of identity sources to verify the authenticity of the user."

I intend to use machine based authentication without contacting an external identity source.

I also ensured the root CA certificate is selected to be used for EAP-TLS authentication.

This brings me to another question.

If the CA issuing machine or user certificates is itself an intermediate CA do I have to install a chained certificate (intermediade CA+root CA) in the ISE or both CA certificates separately?

Thanks in advance



This widget could not be displayed.