ACS user and machine certificate.

Hi Community!
When trying to authenticate machine and users to an ACS 5.5 we have encountered some problems by trying to make this work.
The principal username in the user certificate is in the CN field and the principal username in the machine certificate is in the SAN=DNS field.
In the Certificate Authentication Profile I have configured that the principal username is the CN and this works only when the user is validated, but when I change it to SAN=DNS the user cannot validate but the machine does. I tried adding to fields but it seems this is impossible in the identity store sequence.
So I went ahead and created to authentication profiles in the identity portion of the access policy, one for machine and one for user (with their respective identity store sequence) and the behavior is almost the same.
Am I doing something wrong in here? Can this scenario be achieved with the types of certificates we use?
Thanks in advance

Did you ever figure this one out ? I may have the same type issue.
thanks
[email protected]

Similar Messages

  • 802.1x Wireless - Enforce user AND machine authentication

    I am using ACS v5.6 and I'd like to confirm that it is not possible to enforce both user and machine authentication against AD before allowing wireless access to Windows 7 clients, using PEAP/MSCHAPv2 and the built-in 802.1x supplicant.
    The only workaround seems to involve MAR (Machine Access Restrictions), which has pretty significant drawbacks.
    I'd rather not have to deploy user and machine certificates.
    All I want to do is allow access to the wireless network only if the device and the user are in AD.
    It's such a simple scenario that I must be missing something.
    Any suggestions are welcome. Thanks in advance for your comments.
    Lucas

    In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.
    Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.

  • EAP-TLS User and machine authentication question

    Hello,
    i have a question regarding EAP TLS authentication in a wireless environment. We use Cisco AnyConnect NAM client and an ACS 5.1 to do EAP-TLS authentification. The Laptop and the user can be successfully authenticated using a certificate from our internal CA. i can also check the in our corporate AD if the user and machine are member of a certain group and based on the membership a can grant access to the network.
    i can see in the ACS when the laptops after a reboot logs on to the network, but i don't see a log when the laptop comes back from hibernate mode, i guess this is normal because the laptop sends only the autentication equest after rebooting.
    What i'd like to achive is, when a user logs on the it should always be checked if the machine was authenticated prior the user can get access to the network. Is there a way to do this with EAP-TLS and a LDAP connection to Active Directory.
    thanks in advanced
    alex

    Sounds like you rather want to use PEAP/MSChapV2

  • ACS Server and Downloading Certificate for LDAP External DB

    Hello,
    We have a Cisco ACS appliance version 3.3 (I know, it is older).
    We have a cert7.db file located on an FTP server ready for the ACS appliance to download so it will use secure ldap.
    No matter how we enter the information to download the certificate, it returns the error: The server name or address could not be resolved.
    We are trying to use the IP address (so name resolution should not be an issue), but just cannot get the darned thing to work. We can FTP from any other machine to the server using a dos prompt - credentials should not be an issue and neither should the starting directory - which is /.
    Anyone know what I might be missing?
    Joel

    Did you ever figure this one out ? I may have the same type issue.
    thanks
    [email protected]

  • Machine Certificate will not be recognized

    Hi All, i have a Setup as Follows
    - 5508/1142
    - heterogenous Client with WZC, XP, SP3, SSO
    - ACS 5.2, MS AD
    Target is Songle Sign On wih Machine Cerificates against AD. For testing purpose we tested with EAP-PEAP/MS Chapv2 and Machine Auth, works fine. Now we installed a Machine cert in the Machine cert Store (no User Cert) and reconfigured the WZC for using certs and Machin Auth. What we see is an Error Message in the System Tray that there is no certificate available. We checked it again, the MMC shows us a Machine cert in the Store.
    Where am i wrong, any help welcome.
    BR, Michael

    Hi Michael,
    This is how it works when you select the certificate method under the WZC:
    Computer authentication works only before logon
    By default, after logon, only user authentication works. This means that each user on the system needs a certificate (!) including administrator This can be overridden by AuthMode=2, but this is system-wide,  implying that for a different wireless network user authentication won't  work either. So AuthMode is not an option (except the computer is only used in one 802.1X network)
    This implies too that as soon as there is a computer certificate and no user certificate the network just does not work!
    This way it is not possible to use e.g. EAP-TLS with  certificates for computers and PEAP-MSCHAPv2 with username/password for  users
    So if you wish to use certificate based authentication for the machine, you need to use also for user authentication (using WZC).
    If you have both user and machine certificate, then after installing the certs, reboot the machine and verify if it works.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • ACS 4.1 machine authentication problem

    Hi,
    I'm using the Cisco NAC framework in order to authenticate both users and machines before granting network access. i'm using windows AD to authenticate users and machines.
    Under "External User Databases" -> Windows Authentication Configuration, you can configure some machine authentication settings.
    I have to enable "Enable Machine Access Restriction" in combination with the group map "no access". Otherwise, even though machine authentication has failed, an authorized user can still login with an unauthorized machine (it will only appear in the failed attempts log but it will not be restricted).
    This works, but the problem is the "aging time". The ACS caches the machines for a certain amount of time (12 hours by default). Now if a user logs off and he waits 12 hours to logg back on, authentication will fail (because machine authentication is already performed just after being logged off).
    Is it possible to force machine authentication (together with the user authentication) at Windows log on?
    Kind regards

    ACS 4.1 machine authentication can work on windows. This issue occurs in an environment where there is more than one global catalog server for the domain. Restart CSAuth.exe service, and then try to authenticate again (with Machine credentials)

  • Machine certificate RADIUS wireless login

    Hi all,
    I have a customer who want's to have a computer authentication against RADIUS (allow only school devices to connect through SSID). As I am a network engineer I am struggling with NPS settings and machine certificates.
    I have lab settings in our office where I am using Windows Server 2012 and configured domain certificates using the links below
    https://4sysops.com/archives/how-to-deploy-certificates-with-group-policy-part-2-configuration/#creating-the-certificates
    http://www.petenetlive.com/KB/Article/0000919.htm
    Under NPS I have two policies, one for domain devices and one for non-domain devices
    Domain_devices policy:
    Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
                        Machine groups - domain\Domain devices  - PC added to that group
    Constraints - Auth. method - Microsoft Smart Card or other certificate
    Domain_devices policy:
    Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
    Constraints - Auth. method - Microsoft Protected EAP (PEAP)
    When tested with iPad this was able to connect fine but when testing with domain laptop NPS is returning Event ID 6273 Reason code 16
    Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
    password is correct as I am using same one for iPad as well as computer login
    Anybody with an idea why it's not working?
    Thanks

    Under NPS I have two policies, one for domain devices and one for non-domain devices
    Domain_devices policy:
    Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
                        Machine groups - domain\Domain devices  - PC added to that group
    Constraints - Auth. method - Microsoft Smart Card or other certificate
    Domain_devices policy:
    Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
    Constraints - Auth. method - Microsoft Protected EAP (PEAP)
    When tested with iPad this was able to connect fine but when testing with domain laptop NPS is returning Event ID 6273 Reason code 16
    Hi Lukas,
    Based on your description, the first policy is for domain devices, the second policy is for non-domain devices, the iPad is non-domain device and the laptop is domain device, is that
    right?
    Due to the certificate was deployed via GPO, have you checked if the user or computer certificate was installed successfully in the laptops?
    To verify if the user certificate was installed in the laptop, please follow steps below,
     1. Click
    Start, click Run, enter MMC to open a Console.
     2. Click
    File, click Add/Remove Snap-in,
     3. In the Add or Remove Snap-ins, click
    Certificates, click Add, check My user account, click
    Finish, click OK.
     4. Expand
    Console Root\Certificates-Current User\Personal, if there are not any certificate in this container, it shows that user certificate was not installed successfully.
    To verify if the computer certificate was installed in the laptop, please follow steps below,
     1. Click
    Start, click Run, enter MMC to open a Console.
     2. Click
    File, click Add/Remove Snap-in,
     3. In the Add or Remove Snap-ins, click
    Certificates, click Add, check Computer account, click
    Finish, click OK.
     4. Expand
    Console Root\Certificates(Local Computer)\Personal, if there are not any certificate in this container, it shows that computer certificate was not installed successfully.
    Also, the NPS server and laptops are all need to trust CA, so please check if there is a CA certificate in the
    Trusted Root Certification Authorities\Certificates container.
    Best Regards,
    Tina
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].

  • ISE 1.2 and multiple certificates

    Hello,
    Hopefully someone can answer this question.  We have ISE 1.2 setup and running, 802.1x and user and computer certificates.  All is working fine except some users have two user certificates, one from our server the other from our parent company.  When these users log in they get a bubble message saying "additional information is required to connect to the network", they click on this and they are asked to pick a certificate.  If they pick the one from us all works. 
    Question, is there a way either in Windows or ISE to use our certificate by default?  The PCs in question all have the cisco NAC agent, 4.9.43, and are either XP, Windows 7 or 8. 
    Thanks

    Thanks for the response but it's wrong. Cisco supports stacked ports in 1.2 for wired users. They carried over 1.1documentation to 1.2 and never updated it. We have it in writing from Cisco tac. 

  • EAP-TLS - ACS - Machine Certificates

    Hi,
    I've enabled EAP-TLS machine authentication on my ACS 4.2 server as per the following document: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp354195.  I currently have user authentication working using a user certificate on my laptop. I want to enable machine authentication for my windows domain.
    Which is the best ACS option to choose for machine certificate comparison:
    - Certificate Subject AlternativeName
    - Certificate Common Name
    - Certificate Binary
    Is there a guide to use for setting up machine certificate templates for Windows Clients?
    Thanks,

    CN (or Name)Comparison—Compares the CN in the           certificate with the username in the database. More information on  this           comparison type is included in the description of the Subject field of  the           certificate.
    SAN Comparison—Compares the SAN in the certificate           with the username in the database. This is only supported as of ACS  3.2. More           information on this comparison type is included in the description of  the           Subject Alternative Name field of the certificate.
    Binary Comparison—Compares the certificate with a           binary copy of the certificate stored in the database (only AD and  LDAP can do           this). If you use certificate binary comparison, you must store the  user           certificate in a binary format. Also, for generic LDAP and Active  Directory,           the attribute that stores the certificate must be the standard LDAP  attribute           named "usercertificate".
    Whatever comparison method is used, the information in the  appropriate       field (CN or SAN) must match the name that your database uses for       authentication.

  • ACS 5.4 and machine authentication

    Hi,
    I am installing ACS 5.4 for WiFI user and using EAP-TLS/ certificate based authentication.
    I have Authorization profile created as shown in attachement.
    Under authorization profile i have selcted "Was Machine Authenticated=True"Condition.
    Somehow clients are not able to connect. When I looked at logs on ACS it shows that the requests are not matching this rule bu default rule.
    As soon as I disable this condition, user gets connected
    I have already selected "Enable Machine Authentication" under AD & "Process host Lookup" in allowed protocol.
    Any Suggesions?
    Regards,
    Shivaji

    Shivaji,
    The purpose of the "wasmachineauthenticated" attribute is for user authentication, this is your typical "chicken or the egg" scenario since machine authentication needs to be performed without this attribute for successful authentication.
    When successful machine authentication occurs there is a MAR cache within ACS uses to track the mac address of the device. In your case you are forcing ACS to look for a "WasMachineAuthenticated" during the initial machine authentication which will not succeed.
    In my experience it is best to set this in environments where users' can only authenticate through registered workstations (typically machines that are joined to AD), so when a user attempts to use their 802.1x credentials on a smart phone or non-registered asset, they get denied since the device does not have machine credentials to join the network.
    I hope this bring some clarification to Edward's recommendation.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ISE EAP-Chaining with machine, certificate and domain credentials

    Good morning,
    A customer wants to do the following for their corporate wireless users (all clients will be customer assets):
    Corp. wireless to authenticate with 2-factor authentication:
    •1. Certificate
    •2. Machine auth thru AD
    •3. Domain creds
    When client authenticates, they want to match on 2 out of the 3 conditions before allowing access.
    Clients are Windows laptops and corporate iPhones.
    Certs can be issued thru GPO and MDM for iPhones
    Client supplicant on laptops is native Windows - which I understand is a compatibility issue from this thread: https://supportforums.cisco.com/thread/2185627
    My first question is: can this be done?
    Second question: how would i implement this from an AuthC/AuthZ perspective?
    Thanks in advance,
    Andrew

    You can do this configuring anyconnect with NAM modules on endpoints! But I don't make sense configure some clients with certificate and others with domains credentials...
    For your information, I'm actually configuring EAP-Chaining on ISE 1.2 and i'm gotting some problems. The first one I got with windows 8, for some reason windows was sending wrong information about the machine password but I solved the problem installing a KB on windows 8 machines (http://support.microsoft.com/kb/2743127/en-us). The second one I got with windows 7 that are sending information correctly about domain but wrong information about user credentials, on ISE logs I can see that windows 7 are sending user "anonymous" + machine name on the first longin... after windows 7 start if I remove the cable and connect again the authentication and authorization happen correctly. I still invastigate the root cause and if there is a KB to solve the problem as I did with windows 8.
    Good luck and keep in touch.
    http://support.microsoft.com/kb/2743127/en-us

  • Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

    Hello,
    I'm trying to do machine and user authentication using EAP-TLS and digital certificates.  Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
    In ISE, I can define multiple Certificate Authentication Profiles (CAP).  For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
    Problem is how do you specify ISE to check both in the Authentication Policy?  The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.  
    Any way to resolve this?
    Thanks,
    Steve

    You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
    an example (uses user/pass though, but same concept)
    http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

  • I want to bind my client certificate with machine certificate in order to bind user with dedicated one machine. Kindly help

    I have created one dedicated root CA for domain and auto enrollment has been enabled through Group Policy.
    I want to bind my client certificate with machine certificate in order to bind user with dedicated with one machine. In order to prevent duplicate logins

    Hi,
    How about using
    User Rights Assignment?
    You can deny all other users’
    log on locally right on the machine.
    User Rights Assignment
    http://technet.microsoft.com/en-us/library/cc780182(v=WS.10).aspx
    Best Regards,
    Amy Wang

  • Issuing certificates for user and clients from different forest/domain

    Hello,
    at first I would like to say that I have made some researches on this forum and in the Internet overall.
    I have AD Forest with ~10 sites all over the Europe, DFL and FFL is 2008 R2, right now we are migrating site by site from old domain (samba) to AD.
    Last time I have deployed PKI based on offline root CA and 2 Enterprise acting as 2-node Failover Cluster.
    Everything in my AD Forest is OK, I mean, autoenrollment works perfect for users and computers from my forest, 
    now I need to deploy a certificate (for test) to one web-based pbx server in samba domain, there are no trusts etc. Samba domain as well as AD Forest are working on the same network, with routeable subnets in each site, so there is no problem with connectivity,
    What are possible way to achieve this goal? I mean to issue cert to client from different forest, so that this client is able to validate it, validate certificate chain and renew it when needed?
    I have Installed and Configured CE Web Service and CE Policy Web Service. Now I have configured Enrollment Policies on my virtual machine (being part of different domain), I selected username/password authentication, I am able to request certificate, I can
    see all templates which I should see, but when I try to enroll I got an error:
    (translated from my language)A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider
    My root CA cert is added to trusted publishers for computer and user node as well.
    What could be wrong? If you have any ideas or questions, please share or ask. 
    Thank you in advance.

    Everything is clear, I have Certificate Enrollment Web Services installed and configured,
    problem is what i get from certutil - TCAInfo
    ================================================================
    CA Name: COMPANY-HATADCS002-ISSUING-CA
    Machine Name: COMPANYClustGenSvc
    DS Location: CN=COMPANY-HATADCS002-ISSUING-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=COMPANY,DC=COM
    Cert DN: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
    CA Registry Validity Period: 2 Years -- 2016-03-04 12:20
     NotAfter: 2019-02-14 12:44
    Connecting to COMPANYClustGenSvc\COMPANY-HATADCS002-ISSUING-CA ...
    Server "COMPANY-HATADCS002-ISSUING-CA" ICertRequest2 interface is alive (1078ms)
      Enterprise Subordinate CA
    dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_NT_AUTH
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwRevocationFreshnessTime: 18 Days, 4 Minutes, 1 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwRevocationFreshnessTime: 18 Days, 4 Minutes, 1 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
      Issuer: CN=HATADCS001-COMPANY-ROOT-CA
      NotBefore: 2014-02-14 12:34
      NotAfter: 2019-02-14 12:44
      Subject: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
      Serial: 618f3506000000000002
      Template: SubCA
      9e1bea4ffa648e5fe3e9f8c4be3c604c49af04e9
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
        CRL 02:
        Issuer: CN=HATADCS001-COMPANY-ROOT-CA
        ThisUpdate: 2014-02-14 12:16
        NextUpdate: 2024-02-15 00:36
        d7bafb666702565cae940a389eaffef9c919f07a
      Issuance[0] = 1.2.3.4.1455.67.89.5 
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
      Issuer: CN=HATADCS001-COMPANY-ROOT-CA
      NotBefore: 2014-02-14 11:55
      NotAfter: 2024-02-14 12:05
      Subject: CN=HATADCS001-COMPANY-ROOT-CA
      Serial: 18517ac8a4695aa74ec0c61b475426a8
      b19b85e0e145da17fc673dfe251b0e2a3aeb05e9
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      Issuance[0] = 1.2.3.4.1455.67.89.5 
    Exclude leaf cert:
      5b309c67a8b47c50966088a4d701c8526072c9ac
    Full chain:
      413b91896ba541d252fc9801437dcfbb21d37d91
      Issuer: CN=HATADCS001-COMPANY-ROOT-CA
      NotBefore: 2014-02-14 12:34
      NotAfter: 2019-02-14 12:44
      Subject: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
      Serial: 618f3506000000000002
      Template: SubCA
      9e1bea4ffa648e5fe3e9f8c4be3c604c49af04e9
    A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
    Supported Certificate Templates:
    Cert Type[0]: COMPANYOnlineResponder (COMPANY Online Responder) -- No Access!
    Cert Type[1]: COMPANYWebServer(SSL) (COMPANY WebServer (SSL))
    Cert Type[2]: COMPANYUser(Autoenrollment) (COMPANY User (Autoenrollment))
    Cert Type[3]: COMPANYKeyRecoveryAgents (COMPANY Key Recovery Agents)
    Cert Type[4]: COMPANYEnrollmentAgent(Computer) (COMPANY Enrollment Agent (Computer))
    Cert Type[5]: COMPANYEnrollmentAgent (COMPANY Enrollment Agent)
    Cert Type[6]: COMPANYComputer(Autoenrollment) (COMPANY Computer (Autoenrollment)) -- No Access!
    Validated Cert Types: 7
    ================================================================
    COMPANYClustGenSvc\COMPANY-HATADCS002-ISSUING-CA:
      Enterprise Subordinate CA
      A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
      Online
    CertUtil: -TCAInfo command completed successfully.
    please put some light on it because it's driving me crazy :/
    Thanks in advance
    one remark: certutil -tcainfo performed on CA directly is 100% OK, no errors regarding 
    "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"

  • I have iTunes installed on a laptop that I use for work, but it's owned by my employer.  A new policy my have them deleting iTunes from the machine.  If that happens, will I lose all my music?  I am an iCloud user and pay for iTunes match.

    I have iTunes installed on a laptop that I use for work, but it's owned by my employer.  A new policy my have them deleting iTunes from the machine. If that happens, will I lose all my music?  I am an iCloud user and pay for iTunes match.

    If they just delete iTunes, the music files should still be there. I suggest making a backup of them though. Locate your iTunes folder (The one that contains your library file) and just copy the whole thing to your Documents folder or wherever you like (Just not in the same directory of the original folder otherwise the computer will get confused and could confuse your iTunes library). Then you will have a backup of all your music, plus if you purchased it from iTunes, you will still have it linked to your Apple ID so you can re-download them to any computer with iTunes on it when you feel like it.

Maybe you are looking for