Hi Jatin,

Thanks for the reply. Actually I am configurting this fresh setup for Network Access.

I started configuring ACS 5.3 and initially I was able to synch with AD and can see AD users/groups.

But as soon as I started installing certificates on ACS then ACS server stops Synching with AD and shows error Connection to domain failed and in further info I got "LDAP/UDP Status Error". Also adclient shows execution failed in cli.

Now, I have installed ACS 5.4 and right now connection testing is fine with AD. 

1. You mentioned above that for DOT1X configs, ACS must exchange certificate with AD? (correct me if I am wrong)
   
2. Should we install certificate first and then connect with AD ? or vice versa?
   
3. any suggestions to avoid happening this adclient issue?
   

Regards

Hammad

There might be some other reaso for services got stuck. However, ACS doesn't use any certificate to communicate with AD.

Integrating ACS and AD first and installing certificate later should not be an issue.

how exactly are you installing certificates. Please explain.

~BR
Jatin Katyal

**Do rate helpful posts**

Hi Jatin,

I am using the following steps

•1.       Get AD root Certificate

•2.       Install root Cert on ACS

•3.       Generate ACS Certificate Request and copy the value

•4.       Generate new Certficate on AD by copy/paste certificate value from ACS

•5.       Copy newly generated certificate from AD in ACS local

•6.       Bind this new AD certificate in the ACS

Also can you plz explain further

"1.] Password based authentication for dot1x can be done with PEAP mschapv2 and that does require certificate atleast on the server side" (why we need this certificates).

Regards,

Hammad

I've attached 2 documents for your reference. Please review those for better understanding.

1.] How to integrate ACS with AD.

2.] Configuring Peap mschapv2 on ACS

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example

http://www.cisco.com/en/US/products/ps9911/products_configuration_example09186a0080bc6506.shtml

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server

http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml

~BR
Jatin Katyal

**Do rate helpful posts**

Thanks Jatin for support. I will follow these first and then will let you know about the progress.

Regards,

hammad

Hi Jatin,

Thanks for the tips earlier. However I installed ACS 5.4 and then configure the server from scratch.

I am getting MAB as well as Dot1X authentication. But for two different users getting two different results for DOT1X, Wondering why is this happening? is it a ACS/Switch config issue or is it related to AD?

I am finding one user is getting perfectly authenticated while the Other is showing "Authorization failed" yet still able to access the NW.

#$cation sessions interface tenGigabitEthernet 1/1/12

           Interface: TenGigabitEthernet1/1/12

         MAC Address: 28d2.4421.109c

           IP Address: 10.160.193.100

           User-Name: ABC\shuser

               Status: Authz Success

               Domain: DATA

     Security Policy: Should Secure

     Security Status: Unsecure

       Oper host mode: multi-auth

     Oper control dir: both

       Authorized By: Authentication Server

        Vlan Policy: N/A

             ACS ACL: xACSACLx-IP-SSH-PERMIT-ALL-5270ce52

     Session timeout: N/A

         Idle timeout: N/A

   Common Session ID: 0AA000010000010548A006AC

     Acct Session ID: 0x000007A4

               Handle: 0xA1000106

Runnable methods list:

       Method   State

       dot1x   Authc Success

CS01#

CS01#

CS01#$cation sessions interface tenGigabitEthernet 1/1/12

           Interface: TenGigabitEthernet1/1/12

         MAC Address: 28d2.4421.109c

           IP Address: 10.160.193.100

           User-Name: host/TESTPC01.sportshub.com.sg

               Status: Authz Failed

               Domain: DATA

     Security Policy: Should Secure

     Security Status: Unsecure

       Oper host mode: multi-auth

     Oper control dir: both

       Authorized By: Authentication Server

         Vlan Policy: N/A

     Session timeout: N/A

         Idle timeout: N/A

   Common Session ID: 0AA000010000010648A11C04

     Acct Session ID: 0x000007AD

               Handle: 0x61000107

Runnable methods list:

       Method   State

       dot1x   Authc Success

================================

SWITCH PORT CONFIG:

int ten1/1/9
switchport mode access
dot1x pae authenticator
dot1x port-control auto
authentication host-mode multi-auth
authentication violation restrict
!
dot1x timeout tx-period 10
dot1x timeout quiet-period 20
!
authentication timer reauthenticate server
dot1x max-reauth-req 3

Regards,

Hammad