cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
683
Views
0
Helpful
2
Replies

802.1x - ACS 3.3 with AD Integration

charshman
Level 1
Level 1

I'm running into an issue using AD integration and 802.1x. A previous thread on this indicated the 802.1x authentication occured prior to the domain login process.

However, when I attempt to login to a machine using a domain account and that account profile is not cached on the machine, the authentication fails indicating it could no contact te specified domain.

Obviously the 802.1x authentication is not occuring to open the port then pass the domain credentials to the AD. The ACS is configuerd to pass unknown users to the AD for authentication at which point the ACS should import the account.

Why is the 802.1x failing for uncached user accounts?

2 Replies 2

amritpatek
Level 6
Level 6

Try this steps:>

1.Check your NTLM version.

NTLMv2 is not supported between ACS and AD. Supported is only NTLM.

2.Check Authentication Method

For the authenticating dot1x users on the external database you need use either PEAP or EAP-TLS as the authentication method. Both of these involve certificates. EAP-MD5 is not supported on External database for authentication.

Try this links:>

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp33/ra/rawi.htm

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/o.htm#wp624132

http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_note09186a008031479e.html

pbunet
Level 1
Level 1

I have few suggestions to make :

1) Before you try for an un cached user who is in AD , please cofigure a user in ACS that is not cached in your loptop and see if that user is able to authenticate . If this user is able to authenticate then the issue is with ACS ----> AD , if this is not able to authenticate this issue is with the Laptop not sending the right credentials .

2) If the above does not work then this issue is because of the Laptop , for correct this you need to check the below link that talks abt clearing the old cashed credentials .

http://support.microsoft.com/default.aspx?scid=kb;en-us;823731

Let me know how this goes ,if both the suggestions do not work then we need to inspect the package.cab file from the ACS .

All the best !!