Hi Sir,
Anyone knows how to configure 802.1x using EAP-TLS authentication?
I'm setting up a demo at my customer site using the following components:
(1) Windows 98 SE notebook and Funk's Odyssey Client v3.03 (30-day trial) as the Supplicant.
(2) Cisco Catalyst 2950 Switch as the Authenticator.
(3) CiscoSecure ACS v3.3 Trial as the Authentication Server.
(4) My customer's live LDAP server as External User Database.
I'm using Generic LDAP to interface with my customer's live LDAP. Customer created a test user entry in the LDAP. There's no account on ACS internal database. The integration tested okay because I'm doing "aaa authentication login" on the CAT2950 and I'm able to log in using the test account.
I understand LDAP supports only EAP-TLS, Cisco PEAP (EAP-GTC), and EAP-FAST Phase Two, as far as integration with ACS is concerned. Odyssey client's only option, in this case, is EAP-TLS.
My ACS generates a self-signed cert (CN = server1). I copied the cert file to my Win98 notebook. Using Certificate Manager, I imported it to Personal (required by Odyssey) and Trusted Root Certification Authorities. I point to this cert in Odyssey client (I got the error "You do not have a private key that corresponds to this certificate". Anyhow, I still proceed). Please see screenshots of Odyssey configuration, as attached. On ACS, I ticked everything under EAP-TLS.
Odyssey fails the 802.1x authentication. It reports "Client issued alert 40 (handshake failure)". ACS reports "EAP-TLS or PEAP authentication failed during SSL handshake".
What did I miss in the setup or is my setup correct at all? Do I need to set anything on the LDAP, e.g. attach the cert to the user entry, etc?
Please help.
Thank you.
B.Rgds,
Lim TS
