Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
565
Views
0
Helpful
1
Replies

Wireless Test Users being asked to authenticate to new ACS

thomaschalmers
Level 1
Level 1

‎03-21-2012 04:55 AM - edited ‎03-10-2019 06:55 PM

Hi All,

I am nearing the final stages of an ACS Ver 5.3 deployment and everything is working as it should with the exception of our test wireless users.

Thus far I have:

Configured an "Identity store sequence" that consists of :

-acs internal db

-External radius server

This is called "VPNSequence"

I have also configured an Identity store sequence of :

-AD

-LDAP

This is called "Wireless Sequence"

I then configured the identity section of the "default network access" service.

I put a condition that will match the vpn access (for example "if network device belongs to the network device group called "VPN concentrators".  The identity store used will be the sequence I created above ("VPNSequence").

I then created a second rule (for point 2) that will match wireless access (if network device belongs to WLC group for example) and that will use the sequence "WirelessSequence" as identity store.

I then created a Certification Authorisation Profile and applied it to the Wireless Sequence.

I then tested an XP laptop on a Test_WLAN wireless network that authenticates using the new ACS device - when it attempts to logon I get a message on the laptop stating that I have to "Click here to process your logon information ...". When I click on this it asks me to re-enter my AD password. (This occurs even when I remove the Certification Authorsiation Profile from the Wireless Sequence" described above. If I enter my credentials I connect no problem.

However, this is not ideal for a smooth transition from ACS 3.3 to ACS 5.3 for our Wireless End Users (numbering in the hundreds). They will no doubt bombard our helpdesk when this prompt appears for their wireless connectivity.

Is there anyway I can configure the ACS so that they make a transparent connection without the need to re-enter credentials?

Any help would be much appreciated - please let me know if you require further information.

Kind regards,

Thomas.

Labels:
0 Helpful
1 Reply 1

Dev Vishwakarma
Cisco Employee
Cisco Employee

‎03-22-2012 04:20 AM

Hi,

From your description it appears that you are using password based authentication -- PEAP, EAP-FAST. The certificate authentication profile is only required for EAP-TLS. Although it being there would not cause any issues.

For getting prompted on the laptops to enter the credentials, ensure that when you click on "configure" next to "secure password mschap v2"

http://www.cisco.com/image/gif/paws/72013/peap-acs40-win2003-84.gif

the checkbox next to "Automatically use my windows credentials for login" is selected (not shown in this figure)

Regards,

Dev

0 Helpful
Customers Also Viewed These Support Documents