EAP-TLS Machine Authentication/Certificate

Hi,
I'm having problems getting EAP-TLS to work when a client machine needs to connect to a WLAN. I can make each user get a user cert from my CA and if I use an admin account I can get windows to put these certs into the machine store, but when it comes to a login attempt my RADIUS failure messages look like host/axelfoley001 instead of host/MACHINE001xp, which is how the login looks on RADIUS when using EAP/PEAP.
Clients are WinXPSP3, and I'm using CiscoACS 4.1, MS Certificate Services CA.
When a user gets its own cert it can log into the WLAN fine after already logging onto the machine, but i can't seem to figure out how to pass the machine name with the cert on machine login (pre-auth).
Do I need to alter some setting in the cert to pass a different user/machine name or do i need to get a different kind of cert from the CA?
Any help will be greatfully received.
Thanks,

It sounds like your supplicant isn't configured to use machine credentials. In WZC there is a checkbox for "user machine credentials if available".... Perhaps that isn't enabled?
Or perhaps you don't have a machine cert on the computer. You mentioned a "user cert", but I think if you want machine credentials, don't you need a certificate for the machine itself? I could be wrong on this though.

Similar Messages

EAP-TLS machine authentication problems

Well..
I have the following devices:
WCS
Wlan controller 4402
AP 1130 LWAPP
Workstation XP sp2
Secure ACS 4.0
Windows CA
Windows AD
Everything else is working properly, except EAP-TLS. Server certificate is installed in ACS and trust list is OK. Client certificate is installed in workstation machine store. PEAP-MsCHAPv2 working OK, ACS logging prompts successful authentication. I tried to use the certificate authentication from windows wlan properties, but the log was still empty.
Which clarifications do I have to do in ACS and AD?
Can someone help me and give me very detailed instructions on how to make it work.

Hi,
We had a same problem until we ran 2 windows hotfixs. Those are: WindowsXP-KB893357-v2-x86-ENU.exe and WindowsXP-KB890046-x86-ENU.exe Have you tried to do this. Our EAP-TLS machine authentication is working fine now.
Have you enabled EAP-TLS authentication in ACS? ACS-> System configuration: Mark Allow EAP-TLS

ACS 5.3, EAP-TLS Machine Authentication with Active Directory

I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
Evaluating Identity Policy
15006 Matched Default Rule
22037 Authentication Passed
22023 Proceed to attribute retrieval
24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
24437 Machine not found in Active Directory
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
12506 EAP-TLS authentication succeeded
11503 Prepared EAP-Success
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
22065 Max sessions policy passed
22064 New accounting session created in Session cache
11002 Returned RADIUS Access-Accept
I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
Note: In my Identity Store Sequence, I did enable the option:
For Attribute Retrieval only:
If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
but this only seems to work for internal identity stores (at least based on my testing)
Under my Access Policy Identity tab, I configured the following Advanced features:
Advanced Options
If authentication failed
RejectDropContinue
If user not found
RejectDropContinue
If process failed
RejectDropContinue
And that didn't do anything either.
Any ideas? Thanks in advance.

Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
Then can make a rule in the authorization policy such as
If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

Hello,
I'm trying to do machine and user authentication using EAP-TLS and digital certificates. Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
In ISE, I can define multiple Certificate Authentication Profiles (CAP). For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
Problem is how do you specify ISE to check both in the Authentication Policy? The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.
Any way to resolve this?
Thanks,
Steve

You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
an example (uses user/pass though, but same concept)
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

802.1x eap-tls machine + user authentication (wired)

Hi everybody,
right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
<key>SetupModes</key>
<array>
    <string>System</string>
    <string>Loginwindow</string>
</array>
<key>PayloadScope</key>
    <string>System</string>
but it does not work
2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
Thanks

Unfortunatelly this documents do not describe how to do what I want.
I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
The certificates are in my System keychain.
Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
Any ideas ?

ISE 802.1x EAP-TLS machine and smart card authentication

I suspect I know the answer to this, but thought that I would throw it out there anway...
With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card authentication simultaneously for wired/wireless clients (specifically Windows 7/8, but Linux or OSX would also be good). I can find plenty of information regarding 802.1x machine authentication (EAP-TLS) and user password authentication (PEAP), but none about dual EAP-TLS authentication using certificates for machines and users at the same time. I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end. For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other. Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

Hope this video link will help you
http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

EAP-TLS - 802.1x - Certificate renewal

Hello
I want to implement EAP-TLS as realised in Document "EAP-TLS under Unified Wireless Network with ACS 4.0 and Windows 2003". Everything thing works fine.
Though our customer wants to FW the Data WLAN/ VLAN and allow only data traffic between WLAN Client to a the terminal server within his secure LAN.
By blocking all other traffic(except Terminal Server sessions) we experienced that the MS WinXP Client cannot renew its` EAP_TLS Certificate (in this case both user and machine)when its` Time expires.
Could somebody give me a hint if there are other Cisco solutions for this issue.
I have also read something about Cisco Virtual office. Does this deployement coupe up to solve this issue?

The purpose Cisco ACS agent is, that ACS 4.x appliance (non-Windows2003 server) is capable to do Windows user authentication. I guess that won't help your issue.
What I don't get is the following:
Are you using WPA2(AES) as encryption? Then the WLAN is not considered as unsecure over the air.
The CA enrollment is a pure Windows issue. I haven't heard of Cisco mechanisms to cover that case. The only way I see is to open the FW for the needed MS services or to use another EAP-type (like PEAP).

EAP-TLS Wireless Authentication - General questions

Hi,
I want to use EAP-TLS as a method of authentication for users/computers to join the Wireless. Devices that will connect to the Wireless are part of the domain.
What certificate is preferred to use for this purpose? Computer o User certificates? I guess that it probably depends on what you want to identify or authenticate, a user or a device, but what option is “generally” recommended?
Is there any difference from the point of view of security? Is a computer certificate more secure than a user certificate o vice versa? I have been told that user certificates are easier to compromise (or steal from a windows machine) than computer certificates
even if a user doesn’t have Admin privileges in their machine?
I have also been told that using user certificates could result in some issues to pass some Compliance audits.
I would like to be sure that the design complies with the most recommended and secure alternative.
I would appreciate some help.
Many thanks.

There are pros and cons to using workstation or user based certificates, as well as benefits to using "both". But first thing, both user and computer certificates are secured in the same way in the operating system - in an encrypted state. There are reasonable
controls in place, but anyone bent on hacking a system and has physical control of it, has many options available to them. Things like Bitlocker with TPM can help mitigate many of these attacks. The purpose of certificates is to increase the security and integrity
above passwords. It's not foolproof.
The benefit to using computer/workstation authentication is that when the computer boots up, it joins the WiFi and enables domain users to log on. This is even the case if the user has never logged onto the computer before. The workstation has a secure channel
to a domain controller and is fully managed and applies GPO updates. In this model, the WiFi connected machine is no different from a wired machine.
The disadvantage is that you need to carefully manage your computer devices in AD. Imagine the scenario of a laptop that is stolen. Do you have the means to know which computer object it is and to disable/delete it from AD? If not, then whoever uses the
computer will be able to get onto your WiFi. Many organizations have trouble with this aspect.
User Authentication is a little easier as its easy to manage users who should be allowed to get onto a network. If they leave, their account is disabled. However, they must have cached credentials on the laptop
they want to use as there is no means to contact a DC to authenticate a user the first time.
Another option to consider is to use BOTH. In this scenario, you issue certificates to both the computer and user. When the computer boots, it joins the WiFi. When a user logs on, the computer stays connected
to the WiFi for 60 seconds to allow the user to authenticate and to receive their credentials which are then used to authenticate to the WiFi. If the user is not authorized or is unable to authenticate, then the WiFi is disconnected. This provides the best
security option, but it means managing both user and computer objects properly.
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

PEAP vs EAP-TLS Wireless Authentication Method

Hi,
I'm looking at implementing Certificate based authentication in my 10k+ user Cisco Wireless Network and currently deciding between PEAP and EAP-TLS.
I read the following post which was very useful, however I see the post was back in 2005 and would like to check if EAP-TLS is easier to deploy now with Windows Server certificate auto-enrollment https://supportforums.cisco.com/thread/2142396.
Is it possible to deploy EAP-TLS reasonably easily with certificate auto-enrollment? We also have iPads on the network and guess certificates will still need to be manually installed on these devices?
We will eventually get ISE and Mobile Iron for BYOD, however they are not in my network and can't use them to deploy certificates yet.
Thanks,

Hi,
I'm looking at implementing Certificate based authentication in my 10k+ user Cisco Wireless Network and currently deciding between PEAP and EAP-TLS.
I read the following post which was very useful, however I see the post was back in 2005 and would like to check if EAP-TLS is easier to deploy now with Windows Server certificate auto-enrollment https://supportforums.cisco.com/thread/2142396.
Is it possible to deploy EAP-TLS reasonably easily with certificate auto-enrollment? We also have iPads on the network and guess certificates will still need to be manually installed on these devices?
We will eventually get ISE and Mobile Iron for BYOD, however they are not in my network and can't use them to deploy certificates yet.
Thanks,

EAP-TLS 802.1x certificate issue..

Hi All,
I m trying to setup eap-tls 802.1x using ACS SE 4.1.1.23.4 , WLC & CA. The problem i m facing is with installing the CA certificate on ACS appliance. Tried everything from cisco docs but not able to install certificate as its giving " Unsupported private key file format." The steps whic i had performed are...
1) Generate Certificate Signing Request:
Certificate subject ---- CN=idea_acs_01
Private key file ---- privatekeyfile.pem
Private key password -- cisco
Retype private key password -- cisco
Key length --- 1024
Digest to sign with --- SHA1
Then coppied the certificate signing request from the right side & pasted it on CA using "advanced certificate request" & then "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file" option on CA & pasted the output in Base-64-encoded
certificate request. Then issued the certificate from CA & downloaded it on my desktop & then from my desktop to FTP server.
Even made a file naming privatekeyfile.pem with the output got during Generating Certificate Signing Request & uploaded the same on FTP.
2)Install ACS Certificate:
Then downloaded the certificate certnew.cer from FTP server using Download certificate file option. And also Download private key file from the FTP & typed password cisco. But after Submiting it gives error:
"Unsupported private key file format."
m not able to get why this srror is comming. Even tried all the steps above changing the format of Private key file ie .pvk , .pk but its not working for me.
Can anyone guide me whats the issue. Thanks in advance..
Regards,
Piyush

Have you looked at this:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00804b976b.shtml#appb
Try to open up the certificate and verify that it looks something like this:
-----BEGIN CERTIFICATE-----
IFNlY3VyZSBHbG9iYWwgZUJ1c2weluZXNzIENBLTEwHhcNMDgwNTIzMTc0MTM4Wh
MTMwNTIzMTc0MTM4WjCB1jELMAkGA1UEBhMCVVMxJjAkBgNVBAoTHWd1ZXN0d2lm
aS5pbnRlcm5hbC5qZW5uwrZXIuY29tMRMwEQYDVQQLEwpHVDcwODk1Njc1MTEwLw
VQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNvbS9yZXNvdXJjZXMvY3BzIChjKTA4MS8w
LQYDVQQLEyZEb21haW4gQ29asudHJvbCBWYWxpZGF0ZWQgLSBSYXBpZFNTTChSKT
MCQGA1UEAxMdZ3Vlc3R3aWZpLmludGVybmFsLmplbm5lci5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAKTItrvHtgKSb+7671dndS1RyMfQleF9Jp+ebuPj
Fd4JDjQdv3Ex7fSWrMarHivCok7rivw2c3BAP+sHYikosuwFTQTyf+4vuOzY2B2M
reUWkFA3PX4wYBN54DXUSpLzbmNvf+Vr3SmMIUNJ6rBMxeasXIBc9k3k/BoGp8Ad
dIeZAgMBAAGjgber0wgbowDgYDVR0fdPAQH/BAQDAgTwMB0GA1UdDgQWBBSsQk/8
ySPY+6j/s1draGwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAlwu0GebX/w2TcxfE3lDUoIyCeLbS
A6V+f812YMiXG46in1Qp0BuZtjQyDfvhOT1bszCzGLU39EVsSc5If63tIVi2Onq6
iFMoa/BIbb9vK9o25Zy6FuxSizbMeKKrfFLp4RiEGkCOe68jZ8lFzT/hVvYspe72
eUv4viaap9fTfcVM=
-----END CERTIFICATE-----

EAP-TLS machine and user cert or both

If I use machine and user certificates does that mean the machine get's an IP address, authenticates, the user then logs on which causes another DHCP renew and user authentication? Is it better to use machine and user or just machine?

It depends on your needs and applications, the advantage of also using machine authentication is that the machine connects, authenticates and is on the wireless network irrelevant of whether a user has logged in, which means you can remote access or monitor the machine at that point. I know alot of facilities that do it that way because they manage the machines with things like SMS, etc.. Without machine authentication the computer won't attach to the wireless until a user physically logs into the machine at which point it pass authentication.
personally I like the machine authentication that way you can push updates and other things to the machines without having to either send a person to the machine to login or waiting for a user to login so that you can access the machine, it just needs to be on.
in short machine authentication replicates being hardwired to the network.
Hope this helps... please rate useful posts.
Thanks,
Kayle

EAP-TLS config - No certificates found on your computer.

Howdy,
With Aironet client 3.6, it complains that I have no certificates on my computer when I attempt to configure EAP-TLS. As far as I know, I do have certs on my computer. They were created with OpenSSL and appear to comply with the requirements in the EAP-TLS deployment guide.
I'm stuck!

Please check the cert on the client pc.
Open MMC --->Certificate--->Personal , Do you see user cert here ?
Regards,
~JG

ISE 1.1 EAP-TLS User Authentication in Multiforest

Hello,
we are currently evaluating the ISE 1.1 in a multiforest environment and we have problems to authenticate users which based in other domains (domain2) then the ISE (domain) is based.
This is the setup:
In domain1 is a MSFT CA with OCSP, DC and ISE
In domain2 is a DC and the users
there is a two way trust between the domains.
This is my authentication scenario:
1. agent connect to a wireless network (ok)
2. client exchanges certificate information with ISE (ok)
3. ISE exchanges certificate status with CA (ok)
4. ISE extracts the subject Alternative Name from the certificate [email protected] (ok)
5. ISE queries Active Directory store for the user [email protected] (not ok fails with 22056 Subject not found)
in the log i can see the other forest (domain2) is not even queried to retrieve user data only domain1.
I could query the other domain during AD setup and was able to add groups from the other domain bet i could retrieve attributes of the user in domain2.
Any Ideas?
Regards
Alex
Extract from Log File
DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 executing request 'CAPIGetObjectByName' in thread 2951601040
DIAG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 doCAPIGetObjectByName: category=Person
[email protected]
options=2
DEBUG <fd:34 CAPIGetObjectByName > dns.findsrv FindSrvFromDns(0): _kerberos._tcp.domain2.ch
DEBUG <fd:34 CAPIGetObjectByName > base.adagent.domaininfo rejecting domain domain2.ch. Blocked, not in DNS or our domain list
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject ADNames:
[email protected]#012name
[email protected]
type=SAM domain=domain1.LAN#012
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
[email protected]
)), attrs 7e638646 (cacheOps=40f, GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 60, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper.ad Cache expired 96fe94aa2a7249bca2f59766075e7859, CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN
DIAG <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.10:389 search base="DC=domain1,DC=lan" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
[email protected]
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=96fe94aa2a7249bca2f59766075e7859>;CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
[email protected]
)), attrs e4a3aa15 (cacheOps=40f, GC=1)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DIAG <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.9:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
[email protected]
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=7c68c59bc09f4775a14d6a7f521e491c>;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject: NotFound:[email protected] Category:user
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache making negative response for Person userPrincipalName="
[email protected]
" (GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=972f489502d74f49afdef7f38206e909>;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=domain1,DC=LAN : update indexes Yes
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper
'[email protected]'
is not a canonical name
DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 request 'CAPIGetObjectByName' complete DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 executing request 'CAPIGetObjectByName' in thread 2951601040
DIAG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 doCAPIGetObjectByName: category=Person [email protected] options=2
DEBUG <fd:34 CAPIGetObjectByName > dns.findsrv FindSrvFromDns(0): _kerberos._tcp.domain2.ch
DEBUG <fd:34 CAPIGetObjectByName > base.adagent.domaininfo rejecting domain domain2.ch. Blocked, not in DNS or our domain list
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject ADNames: [email protected]#012name: [email protected] type=SAM domain=domain1.LAN#012
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))([email protected])), attrs 7e638646 (cacheOps=40f, GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 60, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper.ad Cache expired 96fe94aa2a7249bca2f59766075e7859, CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN
DIAG <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.10:389 search base="DC=domain1,DC=lan" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))([email protected]))"
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=96fe94aa2a7249bca2f59766075e7859>;CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))([email protected])), attrs e4a3aa15 (cacheOps=40f, GC=1)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DIAG <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.9:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))([email protected]))"
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=7c68c59bc09f4775a14d6a7f521e491c>;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject: NotFound:[email protected] Category:user
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache making negative response for Person userPrincipalName="[email protected]" (GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=972f489502d74f49afdef7f38206e909>;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=domain1,DC=LAN : update indexes Yes
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper '[email protected]' is not a canonical name
DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 request 'CAPIGetObjectByName' complete

Tarik,
from the ISE cli i can nslookup domain2.lan and i get this result
nos-ch-wbn-ise1/admin# nslookup domain2.lan
Trying "domain2.lan"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57373
;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 5
;; QUESTION SECTION:
;domain2.lan.              IN      ANY
;; ANSWER SECTION:
domain2.lan.       600     IN      A       192.168.68.21
domain2.lan.       600     IN      A       172.28.1.3
domain2.lan.       600     IN      A       172.28.1.2
domain2.lan.       600     IN      A       192.168.68.20
domain2.lan.       3600    IN      NS      labdc01.lab.lan.
domain2.lan.       3600    IN      NS      labdc02.lab.lan.
domain2.lan.       3600    IN      NS      labex01.lab.lan.
domain2.lan.       3600    IN      NS      bsdehepdc01.domain2.lan.
domain2.lan.       3600    IN      NS      bsdehepfs01.domain2.lan.
domain2.lan.       3600    IN      NS      mordor.softlink.ch.
domain2.lan.       3600    IN      NS      shire.softlink.ch.
domain2.lan.       3600    IN      NS      labex02.lab.lan.
domain2.lan.       3600    IN      NS      icm60.icm60domain.lan.
domain2.lan.       3600    IN      NS      bsfs02.domain2.lan.
domain2.lan.       3600    IN      NS      bsfs03.domain2.lan.
domain2.lan.       3600    IN      SOA     bsfs02.domain2.lan. admin.domain2.lan. 217091 900 600 86400 3600
;; ADDITIONAL SECTION:
labdc01.lab.lan.        3600    IN      A       172.28.2.196
bsdehepdc01.domain2.lan. 311 IN    A       192.168.68.20
bsdehepfs01.domain2.lan. 2771 IN   A       192.168.68.21
bsfs02.domain2.lan. 1649   IN      A       172.28.1.2
bsfs03.domain2.lan. 595    IN      A       172.28.1.3
So i assume dns is working fine.
Do i have to see the GC of the trusted domain as well in the ISE Active Directory Configuration ?
thanks & regards
Alex

Access connections 5.50 and EAP TLS with Computer certificate

Hello,
I'm trying to connect to a Wifi using Computer certificate to authenticate and it works perfectly fine with windows Wireless Zero Config however with Thinkvantage Access Connection I always get an authentication error.
I'm using a R61 with a ThinkPad 802.11a/b/g/n, 802.11b/g/n Wireless LAN Mini PCI Express Adapter. It's been updated to the latest driver (v7.6.1.260b)
OS is windows XP with SP3 and all the windows update (as of today).
On my Radius server this is what I get:
If I use WZC I get this in the authentication:
Security ID: DOMAIN\R61WXP$ (this is my computer name)
Account name: host/R61WXP.domain.local
Account Domain: DOMAIN
FQDN: DOMAIN\R61WXP$
When I use Access Connections:
Security ID: DOMAIN\Guest
Account name:
Account Domain: DOMAIN
FQDN: DOMAIN\Guest
My Access connection profile is set this way:
IEEE802.1x => Authenticate as Computer when the information is available.
I hope someone can help !
Thanks!

Hi,
try to dissable the IEEE802.1x => Authenticate as Computer when the information is available.
Make also sure, that the profile connection is correctly configured in the AC profile settings.
This mighe the the root cause.
I can tell you, that there must be something missconfigured, as this configuration will surelly work .
Cheers

EAP-TLS 802.1x Certificate issue

Hi,
I have some issues trying to connect to my enterprise network. I'm using this link to get my certificate in my device :
here
Here's my device :
BlackBerry Curve 9360
7.1 Bundle 2841
(v7.1.0.1047, Platform 9.6.0.160)
Every time i do that, it goes in "other's certificates" instead of "personnal certificate"
When I try to go to connect to the wifi, I choose the right CA certificate which is "COMPANY-CA" and then I have a "none available" client certificate.
I would like to know if there's somehing wrong with my user template certificate or something related to the configuration in my blackberry phone.
Can anyone help me please?
Thanks in advance.

Have you looked at this:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00804b976b.shtml#appb
Try to open up the certificate and verify that it looks something like this:
-----BEGIN CERTIFICATE-----
IFNlY3VyZSBHbG9iYWwgZUJ1c2weluZXNzIENBLTEwHhcNMDgwNTIzMTc0MTM4Wh
MTMwNTIzMTc0MTM4WjCB1jELMAkGA1UEBhMCVVMxJjAkBgNVBAoTHWd1ZXN0d2lm
aS5pbnRlcm5hbC5qZW5uwrZXIuY29tMRMwEQYDVQQLEwpHVDcwODk1Njc1MTEwLw
VQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNvbS9yZXNvdXJjZXMvY3BzIChjKTA4MS8w
LQYDVQQLEyZEb21haW4gQ29asudHJvbCBWYWxpZGF0ZWQgLSBSYXBpZFNTTChSKT
MCQGA1UEAxMdZ3Vlc3R3aWZpLmludGVybmFsLmplbm5lci5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAKTItrvHtgKSb+7671dndS1RyMfQleF9Jp+ebuPj
Fd4JDjQdv3Ex7fSWrMarHivCok7rivw2c3BAP+sHYikosuwFTQTyf+4vuOzY2B2M
reUWkFA3PX4wYBN54DXUSpLzbmNvf+Vr3SmMIUNJ6rBMxeasXIBc9k3k/BoGp8Ad
dIeZAgMBAAGjgber0wgbowDgYDVR0fdPAQH/BAQDAgTwMB0GA1UdDgQWBBSsQk/8
ySPY+6j/s1draGwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAlwu0GebX/w2TcxfE3lDUoIyCeLbS
A6V+f812YMiXG46in1Qp0BuZtjQyDfvhOT1bszCzGLU39EVsSc5If63tIVi2Onq6
iFMoa/BIbb9vK9o25Zy6FuxSizbMeKKrfFLp4RiEGkCOe68jZ8lFzT/hVvYspe72
eUv4viaap9fTfcVM=
-----END CERTIFICATE-----

EAP-TLS Machine Authentication/Certificate

Similar Messages

Maybe you are looking for