How did you configure authentication Server? AD/NT or LDAP.

If you want to authenticate Machine and not User, prefer to use Machine Certificate Authentication.

If you authenticate Machine with AD,Renewal of Machine Password (every 3 month) may cause sometimes error in authentication if the password used by Oddyssey is expired by AD.

To configure Machine Certificate authentifcation in AD, install Microsoft CA on a server of the domain (Can be AD Server) and configure domaine security Policies to install certificates on each domain machine. This configuration is as simple as AD Authentication.

Stanislas

Stanislas,

thank you for the answer. Let me say that we tried using both authentication server methods: LDAP and AD/NT. In both cases the result was the same: we were not able to authenticate using machine credentials.

You said that is better to use MS CA and authenticate with certificates. My question is: How to configure the authentication server in IC? Certificate server + LDAP?

I will wait for your comments

Thanks and Best regards

Sergio

to configure Certificate Authentication, you need to :

- add CA certificate (and all CA Chain Certificate) in Configuration / Certificates / Trusted Client Certificates.

- Create Certificate Authentication server to authenticate users

- Create LDAP Authentication server for Attribute Mapping if you want to attribute roles based on windows Groups.

- Create a Realm with the two defined servers for Authentication and Directory.

- Create roles Mapping on this Realm based on LDAP or Certificate fields.

If you use LDAP for Role Mapping, LDAP server unavailability will cause Authentication Failure. That's why we used Certificates fields such as OU or Title to attribute differents roles for a customer with Certificate Authentication. so we did not use LDAP for Directory search.

Regards,

Stanislas

Stanislas,

I followed the steps in the simplest way (without using the LDAP server) but cannot authenticate. The following eor message repeats after trying to authenticate: Missing or invalid client certificate

The certificate is valid for the Microsot CA.

Can you help me with this problem?

Thanks and Best regards

Hi,

did you add Microsoft CA in Trusted Client CAs?

In this CA properties, you need to validate

- "Trusted for Client Authentication?" is checked

- Verify Trusted Client CA is unchecked

- Client certificate status checking is set to None

Did you configure */ Sign-in URL to use you new Realm with 802.1X Protocol Set? (and only this one when using Machine authentication)

On OAC, you need to configure the profile with these setting:

- Logging Name : (erase default one)

- on Password Tab, disable "permit login using Password"

- on Certificate Tab, enable "permit login using my certificate" and check "use automatic Certificate selection"

-on Authentication Tab, choose EAP-TTLS

- on TTLS Tab, remove EAP-MS-CHAP-V2 and select : "Use my certificate and perform inner authentication"

Validate Machine Certificate is installed on the PC:

- open MMC

- Add / Remove Snap-in Certificate / Computer Account.

- The Certificate must be in personal folder

if the Certificate is not installed, reboot the PC to apply Domain Security Policies and install Certificate (connected to the Network without 802.1x)

regards,

Stanislas

Stanislas,

I was able to use certificate authentication in order to authenticate the machine.

The client were not configured in a right way.

Do you have any example of matching some certificate field in order to determine the role that apply?

Thanks and Best regards

Sergio Magra

Hi,

Organise You AD Architecture With OU and Move Computers on them. when the Certificate will be created on PC, it wil contain this organisation.

After that, you have to create Role Mapping rules based On Certificate. in Attribute, enter OU. in "IS", enter the name of the OU.

Regards,

Stanislas