Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
3579
Views
0
Helpful
0
Comments

Unable to authenticate users with Cisco secure ACS with the use of the LDAP user authentication, and the "Certificate name or binary comparison failed" error message appears

TCC_2
Level 10
Level 10

‎06-18-2009 03:58 PM - edited ‎02-21-2020 09:54 PM

 

Introduction:

This document describes an issue faced by a user.

 

What is LDAP?

 

LDAP represents Lightweight Directory Access Protocol. It works on a client-server model. The information realted to LDAP tree (Directory tree) or backend LDAP database can be stored in one single server or multiple servers.When a LDAP client initiates the connection with LDAP server, client sends a question to server. In response to the client's question, server answers with the location's pointer where client can gather information.It does not matter to which  LDAP server client gets connected to, it  will find the same view of the directory. A name is assigned to one LDAP server refers to the same entry which will be present in another LDAP server. This feature is very appreciated in a global directory service.

 

When a AAA server is intigrated with LDAP at that time the authentication,authorization is carried out with the credentials stored in LDAP (External Database). User provided credentials are verified with the information available in Directory.

Core issue

In this issue, user authentication fails with the Certificate name or binary comparison failed error message. This issue usually occurs if binary comparison of certificate fails.

ACS has three ways to verify a client certificate:

 

  1. CN comparison This compares the CN in the certificate with the username in the database.

  2. SAN comparison-Compares the SAN in the certificate with the username in the database.This is only supported as of ACS 3.2.

  3. Binary comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named usercertificate.

 

Resolution

 

In order to resolve this issue, the user certificate must be stored in a binary format if binary comparison is used.

 

Complete these steps in order to correct this issue:

 

  1. Choose Certificate Binary comparision under EAP-TLS in System Configuration > Global Authentication Setup.

  2. Store the client certificate in AD or LDAP in binary format  with the use of the usercertificate attribute. Binary comparision compares the client certificate with a binary certificate stored in the directory.
Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents