Lab Minutes Forum

Technical Discussion => Security => Topic started by: goat1803 on December 09, 2014, 06:13:22 PM

Title: ACS 5.5.0.46.7 - Issues with 802.1x Binary Cross Check to AD on 2012R2
Post by: goat1803 on December 09, 2014, 06:13:22 PM
 I have ACS serving as the authentication server in a cert based 802.1x setup, trying to authenticate EVGA PD07 zero clients to my lab AD domain utilizing EAP-TLS.

I've set up NDES services, pushing .pem certificates to my zero clients via SCEP.  I haven't configured auto enroll yet, so I manually issue the cert from the CA, and then export the issued cert (.cer) to a file.  From there, I publish the cert with a user object in AD.

 

I have the client cert / CA loaded correctly on ACS, all of the LDAP is working as far as querying groups and such is concerned, and I can authenticate the presented zero client certificate against the AD published cert using the Common Name attribute.  The only thing that doesn't work is Binary Cross Check.  The logs throw a 22056 error (subject not in applicable identity store) and reject the attempt.  As soon as I go in to the authentication profile and disable the cross check, it authenticates successfully.

 

any ideas?

 
Title: Re: ACS 5.5.0.46.7 - Issues with 802.1x Binary Cross Check to AD on 2012R2
Post by: MC on December 12, 2014, 12:00:56 AM
Can you please elaborate on how you actually get the cert on the client, and also what you mean by publish the cert with user object in AD? What is the problem with having the binary check disabled? Is it for security reason or something else?
SimplePortal 2.3.7 © 2008-2024, SimplePortal