Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1065
Views
0
Helpful
7
Replies

Cisco ACS Wireless Authentication

Go to solution
steelinquisitor
Level 1
Level 1

‎10-28-2013 09:47 AM - edited ‎03-10-2019 09:02 PM

Hello guys,

I am trying to test the wireless authentication and authorization with my wireless users via ACS 4.2. I have the 4.2 trial version on Windows 2003 for testing. I also have WLC 5508 and 3602i in my lab. My AD/NPS and CA are Windows 2008 R2.

The Windows 2003 is part of the domain; and on the ACS, if I go to External Databse > Database Configuration > Windows Database > Configure

From here I selected my domain, tick "Enalble EAP-TLS Machine Authentication". I also have mapped the domain to the group I created in ACS.

I also chaged the default RADIUS ports to 1812 and 1813 on the ACS.

On my WLC 5508, I created a WLAN and set the RADIUS IP to the ACS IP address. However, I tried to join the wireless network. It keep failing.

I have installed the user cert on the laptop for EAP-TLS. If I changed the RADIUS server on the WLAN and pointed it to AD/NPS that I have, my test laptop was able to join the wireless network via EAP-TLS.

I am a little confuse about the ACS TACACS+. Is TACACS+ used only for logging into network devices for management or can it be used for regular users for authentication and authorization?

For example, a wireless user, which is part of the domain, need to join a wireless enterprise network for his office work. Can I use TACACS+ for this or it has to be RADIUS via ACS 4.2?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to steelinquisitor

‎10-28-2013 01:05 PM

yes that's right and it applies to wired as well.

On the ACS, please add WLC as a AAA client with radius (Cisco airespace)

Configuring WLC and ACS for radius settings.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

You may visit the below listed link to install certificate on ACS 4.2

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/peap_tls.html

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎10-28-2013 11:09 AM

No, we can't use tacacs+ for wireless. It has to be radius.

So have you added wireless controller on ACS as a radius aaa client?

What all certificates have you installed on ACS server?

What error message are we getting when you point WLC towards ACS and try to authenticate wireless users?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
steelinquisitor
Level 1
Level 1
In response to Jatin Katyal

‎10-28-2013 12:45 PM

if I understand you correctly, tacacs+ is not used for client wireless authentication. Am I right? I am assuming this is also applies to wired users.

Yes, I added the WLC 5508 as a radius client "RADIUS (Cisco IOS/PIX 6.0)."

This is the log that I got from the ACS:

DateTimeMessage-TypeUser-NameGroup-NameCaller-IDNetwork Access Profile NameAuthen-Failure-CodeAuthor-Failure-CodeAuthor-DataNAS-PortNAS-IP-AddressFilter InformationPEAP/EAP-FAST-Clear-NameEAP TypeEAP Type NameReasonAccess DeviceNetwork Device Group
10/28/201314:25:31Authen failedclient01@aaeng.localDefault Group44-94-fc-5b-21-19(Default)EAP_TLS Type not configured

1172.28.255.42




RK2WLC5508-01
10/28/201314:25:35Unknown NAS


(Unknown)



172.28.255.42






10/28/201314:26:26Authen failedclient01@aaeng.localDefault Group44-94-fc-5b-21-19(Default)EAP_TLS Type not configured

1172.28.255.42




RK2WLC5508-01

I am not sure how to install the CA into ACS.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to steelinquisitor

‎10-28-2013 01:05 PM

yes that's right and it applies to wired as well.

On the ACS, please add WLC as a AAA client with radius (Cisco airespace)

Configuring WLC and ACS for radius settings.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

You may visit the below listed link to install certificate on ACS 4.2

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/peap_tls.html

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
steelinquisitor
Level 1
Level 1
In response to Jatin Katyal

‎10-28-2013 03:39 PM

Thanks. The link you have provided helps me to make EAP-TLS wireless working

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to steelinquisitor

‎10-28-2013 03:54 PM

Wonderful. Thanks for sharing!!!

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
steelinquisitor
Level 1
Level 1
In response to Jatin Katyal

‎10-29-2013 06:50 AM

I have another question regarding the passwords for my servers.
Since I joined my Windows 2003 with ACS 4.2 to the domain, my admin password for my AD/NPS and CA servers have changed to the Windows 2003 admin password.

Is this normal?

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to steelinquisitor

‎10-30-2013 06:10 AM

that's nothing to do with ACS joining AD (Domain). This is not a default behaviour.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Customers Also Viewed These Support Documents