cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1653
Views
0
Helpful
2
Replies

ACS 5 EAP-TLS WLC Issue

nomadicwifi
Level 1
Level 1

I have a wireless environtment with Cisco WLC 5508 and some AP. I am using an ACS 5 has an external database of Active Directory. I also using a Windows Server 2003 as a Certificate Authority.

I tried using PEAP(MSCHAPv2) and the client successfully authenticates through the ACS to the AD. I can't seem to get EAP-TLS to work.

In the ACS I have requested a CSR and got the CA to sign it. I then installed the signed certificate along with the CA. This should be working because the ACS https management page doesn't show a certificate error anymore.

In ACS, under Certificate Authentication Profile, I created a new profile with this configuration:

Principal Username X509 Attribute: Common Name

Check on Perform Binary Certificate Comparison with Certificate retreved from LDAP or Active Directory

Name: AD1(the same AD that was configured that works with PEAP(MSCHAPv2)

In Access Policies I chose this profile I created as the identity source.

For the client, I have read several Cisco guides which are a bit old, during the ACS 4 times. I followed the guide to get the client, through a wired network, to go to the CA to request for a 'Client Authentication' certificate. I installed the signed cert, along with the CA cert. I checked that the cert is issued to the right name and the certification path is ok. I then configure the client to connect to the wireless network using a certificate and I can't seem to connect. The ACS monitoring dashboard throws up this error:

Description:

Binary Comparison to certificate failed

Resolution Text:

Check if the client certificate matches the certificate issued by the CA exposed through the ID store.

Where have I gone wrong in the configuration?

2 Replies 2

jrabinow
Level 7
Level 7

Deselect the option for "Perform Binary Certificate Comparison with Certificate retreved from LDAP or Active Directory" and then see if it works

Only select this option if you will in fact store a copy of the cert in AD for comparison purposes

Previously configured the ACS without the "Perform Binary Certificate Comparison with Certificate retreved from LDAP or Active Directory" checked and the error message was something like "trying to compare certificate while AD returns username", don't remember exactly..

I just got it working but changing the 'Principal username X509 attribute' to Subject.

I am trying to only allow clients with the certificate and the right credentials to join the network. How do I authenticate clients by using the clients certificate signed by the CA to verify the identity without checking "Perform Binary Certificate Comparison with Certificate retreved from LDAP or Active Directory"?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: