Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
398
Views
1
Helpful
6
Replies

ISE 3.2 p3 - Cert based Machine auth does not work

Go to solution
mtar
Level 1
Level 1

‎01-29-2024 02:34 AM

Hello!

We have implemented Windows 10 native client TEAP authentication, which works perfectly if the User and the Machine is authenticated via MSCHAPv2.  So the EAP-Chaning is working in the environment.

But If we want use EAP-TLS to authenticate the machine via Certificate the following error appears:

  22070 Identity name is taken from certificate attribute
  22047 User name attribute is missing in client certificate - Subject - Common Name
  22002 Authentication complete
  22057 The advanced option that is configured for a failed authentication request is used
  22061 The 'Reject' advanced option is configured in case of a failed authentication request
  12529 Inner EAP-TLS authentication failed

The certificate is on the machine, the common name is name of the machine and it exist in the AD.

TEAP config is okay, the certificate is selected which to use during the dot1x authentication.

 

But still the Machine cannot auth itself

What could be the problem?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mtar
Level 1
Level 1

‎04-15-2024 04:29 AM

Hello!

It turned out a well known bug caused this issue:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf80292

BR

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Aref Alsouqi
VIP
VIP

‎01-29-2024 03:23 AM

Which option you switched to EAP-TLS in TEAP properties on the supplicant settings? please note that the primary EAP authentication method is referring to the machine authentication, and the secondary is referring to the user authentication.

Go to solution
mtar
Level 1
Level 1
In response to Aref Alsouqi

‎01-29-2024 04:56 AM

Hello Aref!

I know it as the exact opposite. Like the primary is the user and Secondary is the machine.

The above reffered logs are part of the Machine authentication logs, so I think I am right.

 

BR,

Mate

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎01-29-2024 07:03 AM

Hello Mate, you're right, my bad, I flipped them around. Do you also have a SAN value on the cert with the machine name? if so, could you please change the CAP on ISE and set the DNS SAN instead of the CN attribute?

0 Helpful

Go to solution
mtar
Level 1
Level 1
In response to Aref Alsouqi

‎01-30-2024 12:02 AM

Hello!

Unfortunately there is no SAN field in the certificate, although we have tried to modify the CAP according to it, but we get an authentication error during the dot1x process . Which is expected since there is no SAN field.

Thx,

Mate

0 Helpful

Go to solution
mtar
Level 1
Level 1

‎04-15-2024 04:29 AM

Hello!

It turned out a well known bug caused this issue:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf80292

BR

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to mtar

‎04-15-2024 06:29 AM

Thanks for sharing this. Did the suggested workaround fixed the issue?

0 Helpful
Customers Also Viewed These Support Documents