Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1414
Views
0
Helpful
2
Replies

Cisco ACS 4.0 EAP-TLS machine based 802.1x with AD

network_guy
Level 1
Level 1

‎11-30-2010 07:51 AM - edited ‎02-21-2020 04:10 AM

Here's my situation. I currently have 802.1x working perfectly with Microsoft IAS, but we are wanting to use ACS 4.0 due to the fact that we also need the IP Phones to authenticate as well using EAP-TLS. I have configured ACS correctly (so I think) and my machines fail everytime. Here's what I've configured in ACS so far.

Installed certificate from Root CA.

Installed Root CA certificates.

I have trusted all certificates all the way up the chain to the Root ( we have multiple Root CA's as well as Intermediate CA's) The only thing I'm not sure about on this one is the certficate for ACS is given from a different CA but both workstation and ACS certificates ROOT CA is the same.

Group Settings: IETF Radius Attributes

                         [006] Service-Type = Framed

Network Configuration: AAA Client is authenticating using Radius (IETF)

                                  AAA Server Type is RADIUS (can I Cisco ACS???)

System Configuration: Global Authentication Setup - Allow EAP-TLS - Cert CN comparison

External User Databse: Windows Database - Selected our Domain

                                                                 Enable EAP-TLS machine authentication (host/)

                                   Database Group Mappings: NTGroups- Have AD security group selected that host machines are in, CiscoSecureGroup Default

This is where I get a little confused. I have configured our test switch to authenticate with IAS and it works great, configure it to go to the ACS server and we get nothing, I don't event get any errors and anything sent to the logs. Where am I going wrong????

0 Helpful
2 Replies 2

Vinay Sharma
Level 7
Level 7

‎12-14-2010 06:43 AM

Hi Joshua,

Please make sure you have followed all steps as mentioned in the config guide. ACS 3.2 or 4.x, most of the things are same as far as config is concern.

Cisco Secure ACS for Windows v3.2 With EAP-TLS Machine Authentication

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

thanks,

Vinay

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Thanks & Regards
0 Helpful

network_guy
Level 1
Level 1
In response to Vinay Sharma

‎12-14-2010 06:53 AM

Vinay,

Thanks for the response. I managed to get things working by using the SAN with the certificate instead of the CN. Our server received its cert from the Root CA where the workstations receive their certs from an Intermediate CA.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card