Showing results for 
Search instead for 
Did you mean: 

Cisco ACS 4.0 EAP-TLS machine based 802.1x with AD


Here's my situation. I currently have 802.1x working perfectly with Microsoft IAS, but we are wanting to use ACS 4.0 due to the fact that we also need the IP Phones to authenticate as well using EAP-TLS. I have configured ACS correctly (so I think) and my machines fail everytime. Here's what I've configured in ACS so far.

Installed certificate from Root CA.

Installed Root CA certificates.

I have trusted all certificates all the way up the chain to the Root ( we have multiple Root CA's as well as Intermediate CA's) The only thing I'm not sure about on this one is the certficate for ACS is given from a different CA but both workstation and ACS certificates ROOT CA is the same.

Group Settings: IETF Radius Attributes

                         [006] Service-Type = Framed

Network Configuration: AAA Client is authenticating using Radius (IETF)

                                  AAA Server Type is RADIUS (can I Cisco ACS???)

System Configuration: Global Authentication Setup - Allow EAP-TLS - Cert CN comparison

External User Databse: Windows Database - Selected our Domain

                                                                 Enable EAP-TLS machine authentication (host/)

                                   Database Group Mappings: NTGroups- Have AD security group selected that host machines are in, CiscoSecureGroup Default

This is where I get a little confused. I have configured our test switch to authenticate with IAS and it works great, configure it to go to the ACS server and we get nothing, I don't event get any errors and anything sent to the logs. Where am I going wrong????

2 Replies 2

Vinay Sharma
Rising star
Rising star

Hi Joshua,

Please make sure you have followed all steps as mentioned in the config guide. ACS 3.2 or 4.x, most of the things are same as far as config is concern.

Cisco Secure ACS for Windows v3.2 With EAP-TLS Machine Authentication



If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Thanks & Regards


Thanks for the response. I managed to get things working by using the SAN with the certificate instead of the CN. Our server received its cert from the Root CA where the workstations receive their certs from an Intermediate CA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers