Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Unable to authenticate users with Cisco secure ACS with the use of the LDAP user authentication, and the "Certificate name or binary comparison failed" error message appears

 

Introduction:

This document describes an issue faced by a user.

 

What is LDAP?

 

LDAP represents Lightweight Directory Access Protocol. It works on a client-server model. The information realted to LDAP tree (Directory tree) or backend LDAP database can be stored in one single server or multiple servers.When a LDAP client initiates the connection with LDAP server, client sends a question to server. In response to the client's question, server answers with the location's pointer where client can gather information.It does not matter to which  LDAP server client gets connected to, it  will find the same view of the directory. A name is assigned to one LDAP server refers to the same entry which will be present in another LDAP server. This feature is very appreciated in a global directory service.

 

When a AAA server is intigrated with LDAP at that time the authentication,authorization is carried out with the credentials stored in LDAP (External Database). User provided credentials are verified with the information available in Directory.

Core issue

In this issue, user authentication fails with the Certificate name or binary comparison failed error message. This issue usually occurs if binary comparison of certificate fails.

ACS has three ways to verify a client certificate:

 

  1. CN comparison This compares the CN in the certificate with the username in the database.

  2. SAN comparison-Compares the SAN in the certificate with the username in the database.This is only supported as of ACS 3.2.

  3. Binary comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named usercertificate.

 

Resolution

 

In order to resolve this issue, the user certificate must be stored in a binary format if binary comparison is used.

 

Complete these steps in order to correct this issue:

 

  1. Choose Certificate Binary comparision under EAP-TLS in System Configuration > Global Authentication Setup.

  2. Store the client certificate in AD or LDAP in binary format  with the use of the usercertificate attribute. Binary comparision compares the client certificate with a binary certificate stored in the directory.
2649
Views
0
Helpful
0
Comments