Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1084
Views
0
Helpful
1
Replies

cisco ACS 5.2 + EAP TLS + windows 2003 AD

Gaj Anna
Level 1
Level 1

‎08-14-2011 07:53 PM - edited ‎03-10-2019 06:19 PM

Hi All,

Anyone have a good guide to do the eap tls with acs 5.2 and AD? 

I am running acs 5.2 in VM ware server. The AP's connect to a 2006 WLC controller which points to ACS 5.2. The external identity store is conencted with win2k3 AD.

I have followed the guide for eap-tls with ACS 4.0 but not working. I think ACS 5.2 is different in generating certificates.

Did the following,

1.Intalled windows 2k3 enterprise server with AD and CA

2.Created a ACS template and enabled in the CA server

3. Generated a local certificate in ACS binded with the CA signed certificate.

4.Installed CA and user certificate on the windows xp client. Using Intel proset utility to configure eap -tls.

During the conenction from the client, the ACS radius log shows authentication methiod as EAP-TLS but the error is "cannot fine client trusted CA in identity store etc..."

Once I import server CA certificate in the identity sore in ACS the the radius log shows authentication method as X509_pki.

Why does this changes to X509 and please guide me any changes need for the eap-tls to work?

Thanks in advance

Gaj

Labels:
0 Helpful
1 Reply 1

jrabinow
Level 7
Level 7

‎08-15-2011 10:50 PM

I am assuming that you are using a newly installed ACS system and so will point out any changes that need to be made to the configuration after installation to support your EAP-TLS use case:

- from your description it looks to me as you have defined the certificate in the list of Cerificate Authorities:

Users and Identity Stores > Certificate Authorities

- by default after installation authentication is performed against the internal identity store. You can see this at:

Access Policies > Access Services > Default Network Access > Identity

However, in the case of EAP-TLS no authentication is performed against an indetity store. Instead need to configure a Certificate Authentication Profile as the result of the policy. This defines the certificate attribute that contains the user name and optionally whether binary comparison of the certificate is to be performed. There is a default profile called 'CN Username" that is defined at system installation and can define others at: Users and Identity Stores > Certificate Authentication Profile

to change the result of the identity policy for RADIUS requests to use a certificate authentication profile go to:

Access Policies > Access Services > Default Network Access > Identity

press the link for "default" rule, select the "Identity Source" as the profile. Press "OK"and then "Save Changes"

If this doesn't help please update with error cause that is being seen

0 Helpful
Customers Also Viewed These Support Documents