https://community.cisco.com/t5/network-access-control/cisco-acs-wireless-authentication/m-p/2363769#M148824 <HTML><HEAD></HEAD><BODY><P>Wonderful. Thanks for sharing!!!</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Mon, 28 Oct 2013 22:54:48 GMT Jatin Katyal 2013-10-28T22:54:48Z https://community.cisco.com/t5/network-access-control/cisco-acs-wireless-authentication/m-p/2363764#M148740 <P>Hello guys,</P><P></P><P>I am trying to test the wireless authentication and authorization with my wireless users via ACS 4.2. I have the 4.2 trial version on Windows 2003 for testing. I also have WLC 5508 and 3602i in my lab. My AD/NPS and CA are Windows 2008 R2.</P><P>The Windows 2003 is part of the domain; and on the ACS, if I go to External Databse &gt; Database Configuration &gt; Windows Database &gt; Configure</P><P>From here I selected my domain, tick "Enalble EAP-TLS Machine Authentication". I also have mapped the domain to the group I created in ACS. </P><P>I also chaged the default RADIUS ports to 1812 and 1813 on the ACS.</P><P></P><P>On my WLC 5508, I created a WLAN and set the RADIUS IP to the ACS IP address. However, I tried to join the wireless network. It keep failing.</P><P>I have installed the user cert on the laptop for EAP-TLS. If I changed the RADIUS server on the WLAN and pointed it to AD/NPS that I have, my test laptop was able to join the wireless network via EAP-TLS.</P><P></P><P>I am a little confuse about the ACS TACACS+. Is TACACS+ used only for logging into network devices for management or can it be used for regular users for authentication and authorization?</P><P>For example, a wireless user, which is part of the domain, need to join a wireless enterprise network for his office work. Can I use TACACS+ for this or it has to be RADIUS via ACS 4.2?</P><P></P><P></P><P></P><P>Thanks</P> Mon, 11 Mar 2019 04:02:36 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-wireless-authentication/m-p/2363764#M148740 steelinquisitor 2019-03-11T04:02:36Z https://community.cisco.com/t5/network-access-control/cisco-acs-wireless-authentication/m-p/2363765#M148749 <HTML><HEAD></HEAD><BODY><P>No, we can't use tacacs+ for wireless. It has to be radius.</P><P></P><P>So have you added wireless controller on ACS as a radius aaa client?</P><P></P><P>What all certificates have you installed on ACS server?</P><P></P><P>What error message are we getting when you point WLC towards ACS and try to authenticate wireless users?</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Mon, 28 Oct 2013 18:09:05 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-wireless-authentication/m-p/2363765#M148749 Jatin Katyal 2013-10-28T18:09:05Z https://community.cisco.com/t5/network-access-control/cisco-acs-wireless-authentication/m-p/2363766#M148757 <HTML><HEAD></HEAD><BODY><P>if I understand you correctly, tacacs+ is not used for client wireless authentication. Am I right? I am assuming this is also applies to wired users.</P><P></P><P>Yes, I added the WLC 5508 as a radius client "RADIUS (Cisco IOS/PIX 6.0)."</P><P></P><P>This is the log that I got from the ACS:</P><P></P><TABLE border="0" cellpadding="0" cellspacing="0" style="width: 2153px;"><TBODY><TR style="height: 15.0pt;"><TD height="20" style="height: 15.0pt; width: 56pt;" width="75">Date</TD><TD style="width: 48pt;" width="64">Time</TD><TD style="width: 73pt;" width="97">Message-Type</TD><TD style="width: 106pt;" width="141">User-Name</TD><TD style="width: 71pt;" width="95">Group-Name</TD><TD style="width: 86pt;" width="115">Caller-ID</TD><TD style="width: 146pt;" width="194">Network Access Profile Name</TD><TD style="width: 142pt;" width="189">Authen-Failure-Code</TD><TD style="width: 103pt;" width="137">Author-Failure-Code</TD><TD style="width: 62pt;" width="83">Author-Data</TD><TD style="width: 48pt;" width="64">NAS-Port</TD><TD style="width: 80pt;" width="106">NAS-IP-Address</TD><TD style="width: 89pt;" width="118">Filter Information</TD><TD style="width: 140pt;" width="187">PEAP/EAP-FAST-Clear-Name</TD><TD style="width: 48pt;" width="64">EAP Type</TD><TD style="width: 79pt;" width="105">EAP Type Name</TD><TD style="width: 48pt;" width="64">Reason</TD><TD style="width: 79pt;" width="105">Access Device</TD><TD style="width: 113pt;" width="150">Network Device Group</TD></TR><TR style="height: 15.0pt;"><TD align="right" height="20" style="height: 15.0pt;">10/28/2013</TD><TD align="right">14:25:31</TD><TD>Authen failed</TD><TD>client01@aaeng.local</TD><TD>Default Group</TD><TD>44-94-fc-5b-21-19</TD><TD>(Default)</TD><TD>EAP_TLS Type not configured</TD><TD><BR /></TD><TD><BR /></TD><TD align="right">1</TD><TD>172.28.255.42</TD><TD><BR /></TD><TD><BR /></TD><TD><BR /></TD><TD><BR /></TD><TD><BR /></TD><TD>RK2WLC5508-01</TD><TD><BR /></TD></TR><TR style="height: 15.0pt;"><TD align="right" height="20" style="height: 15.0pt;">10/28/2013</TD><TD align="right">14:25:35</TD><TD>Unknown NAS</TD><TD><BR /></TD><TD><BR /></TD><TD><BR /></TD><TD>(Unknown)</TD><TD><BR /></TD><TD><BR /></TD><TD><BR /></TD><TD><BR /></TD><TD>172.28.255.42</TD><TD><BR /></TD><TD><BR /></TD><TD><BR /></TD><TD><BR /></TD><TD><BR /></TD><TD><BR /></TD><TD><BR /></TD></TR><TR style="height: 15.0pt;"><TD align="right" height="20" style="height: 15.0pt;">10/28/2013</TD><TD align="right">14:26:26</TD><TD>Authen failed</TD><TD>client01@aaeng.local</TD><TD>Default Group</TD><TD>44-94-fc-5b-21-19</TD><TD>(Default)</TD><TD>EAP_TLS Type not configured</TD><TD><BR /></TD><TD><BR /></TD><TD align="right">1</TD><TD>172.28.255.42</TD><TD><BR /></TD><TD><BR /></TD><TD><BR /></TD><TD><BR /></TD><TD><BR /></TD><TD>RK2WLC5508-01</TD><TD><BR /></TD></TR></TBODY></TABLE><P></P><P>I am not sure how to install the CA into ACS.</P></BODY></HTML> Mon, 28 Oct 2013 19:45:35 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-wireless-authentication/m-p/2363766#M148757 steelinquisitor 2013-10-28T19:45:35Z https://community.cisco.com/t5/network-access-control/cisco-acs-wireless-authentication/m-p/2363767#M148767 <HTML><HEAD></HEAD><BODY><P>yes that's right and it applies to wired as well.</P><P></P><P>On the ACS, please add WLC as a AAA client with <STRONG>radius (Cisco airespace)<BR /></STRONG></P><P></P><P>Configuring WLC and ACS for radius settings.</P><P><A href="http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml">http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml</A></P><P></P><P></P><P>You may visit the below listed link to install certificate on ACS 4.2</P><P><A href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/peap_tls.html">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/peap_tls.html</A></P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Mon, 28 Oct 2013 20:05:34 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-wireless-authentication/m-p/2363767#M148767 Jatin Katyal 2013-10-28T20:05:34Z https://community.cisco.com/t5/network-access-control/cisco-acs-wireless-authentication/m-p/2363768#M148792 <HTML><HEAD></HEAD><BODY><P>Thanks. The link you have provided helps me to make EAP-TLS wireless working<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Mon, 28 Oct 2013 22:39:54 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-wireless-authentication/m-p/2363768#M148792 steelinquisitor 2013-10-28T22:39:54Z https://community.cisco.com/t5/network-access-control/cisco-acs-wireless-authentication/m-p/2363769#M148824 <HTML><HEAD></HEAD><BODY><P>Wonderful. Thanks for sharing!!!</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Mon, 28 Oct 2013 22:54:48 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-wireless-authentication/m-p/2363769#M148824 Jatin Katyal 2013-10-28T22:54:48Z https://community.cisco.com/t5/network-access-control/cisco-acs-wireless-authentication/m-p/2363770#M148866 <HTML><HEAD></HEAD><BODY><P>I have another question regarding the passwords for my servers.<BR />Since I joined my Windows 2003 with ACS 4.2 to the domain, my admin password for my AD/NPS and CA servers have changed to the Windows 2003 admin password.<BR /><BR />Is this normal?<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Tue, 29 Oct 2013 13:50:49 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-wireless-authentication/m-p/2363770#M148866 steelinquisitor 2013-10-29T13:50:49Z https://community.cisco.com/t5/network-access-control/cisco-acs-wireless-authentication/m-p/2363771#M148923 <HTML><HEAD></HEAD><BODY><P>that's nothing to do with ACS joining AD (Domain). This is not a default behaviour.</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Wed, 30 Oct 2013 13:10:58 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-wireless-authentication/m-p/2363771#M148923 Jatin Katyal 2013-10-30T13:10:58Z