cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1310
Views
1
Helpful
12
Replies

EAP-TLS error in ACS 5.2

IBMBHARTISO
Level 1
Level 1

Hi ,

I have configured radius for dot1x in an ACS 5.2. When I tried to connect a user to a dot1x enabled switch port, I get the following error in the radius.

Description

Identity  policy result is configured for password based authentication methods  but received certificate based authentication request

Resolution Steps

Check  the appropriate service in Access Service and its Identity source in  Access Services > Sysaccess > Identity >. This error happens  when the identity source is configured for password based authentication  and received a certificate based authentication request.

The switchport configuration is :

switchport access vlan 810

switchport mode access

authentication event fail action authorize vlan 132

authentication event no-response action authorize vlan 810

authentication port-control auto

dot1x pae authenticator

dot1x max-req 3

ip verify source port-security

end

Please help in correcting this in ACS 5.2

Regards,

Abhishek

1 Accepted Solution

Accepted Solutions

Ok ,

did you check the attribute that you want ACS to check in the incoming packet from client .

Most important , select the certificate profile as an identity store under access policies -- access service name - identity -- select .

BR ,

Tushar Gaba .

View solution in original post

12 Replies 12

Tushar Gaba
Cisco Employee
Cisco Employee

Abhishek ,

Can you please illustrate what kind of authentication are you trying to achieve in dot1x .

Is it mschap(password based) or certificate based .

If it is password based then the configuration on ACS looks ok because the error says that ACS is configured for password based .Then we need to check the right EAP flavor on the client .

If it is certificate based then we need to create a certificate profile which will be called in identity ..

access policies == access service (name) == identity .

We first need to create the same under >>>>> user and identity stores == certificate authentication profile == specify what you want ACS to look in the certificate (example , cn ,subject) .

Look forward to hear from you .

Regards ,

Tushar Gaba .

sers and Identity Stores > Identity Store Sequences > Edit: "CertBaseAuth"

General

Required Field

Name:

Description:

Authentication Method List
Certificate Based
Certificate Authentication Profile
Password Based                     
Additional Attribute Retrieval Search List
An optional set of additional identity stores from which attributes will be retrieved



Internal User/Host Advanced Option

= Required fields
Hi Tushar,
Thanks for ur reply.
Configuration has already been set for the certification based authentication. Kindly check the above screenshot.
Though I have changed the Certificate Autehntication Profile above to default profile, but I have checked it for another profile too.
The error is same.
Rgds,
Abhishek

Ok ,

did you check the attribute that you want ACS to check in the incoming packet from client .

Most important , select the certificate profile as an identity store under access policies -- access service name - identity -- select .

BR ,

Tushar Gaba .

Thats seem to be the issue as I am not able to select any option under identity. Whenever I try to change any setting overthere for eg. select 'rule base result selection' and then try to edit the default rule, the below error comes:

ACS: Resource not found or internal server error


ErrorCode: 500 has occured.      Click here to get back to the server

Also to let u know the ACS here is an evaluation version.

Can it be related to it.

Rgds,

Abhishek

This is a known error .

Please log out of the ACS and log in back again .

Evaluated version should not be a problem .

Thanks ,

Tushar Gaba .

When I click on the 'rule based result selection' below

and then try to create after clicking the checkbox beside the 'status'

The below popup appears:

What can be the issue?

Rgds,

Abhishek

The issue was with the firefox...not able to check the setting in it, properly. Making the changes through IE. Will revert back with the status.

Rgds,

Abhishek

ok ..

Please don't forget to rate Tushar's feedback on this matter. Also, mark this thread resolved so that it may help other community members facing similar issues.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Thanks Tushar! Its working flawlessly now. Able to authenticate user on certificate base.

Lesson learnt: Always use IE for Cisco ACS GUI.

Regards,

Abhishek

Most Welcome .

IE and Mozilla are the only documents browsers which support ACS .

The trick is the version of IE and MOZILLA .You can find the supported browsers and their versions in the release notes .

I hope it was helpful .Please rate if the issue stands resolved so that if any new person sees he/she can take it as a valuable solution .

Best regards ,

Tushar Gaba .

Hi Tushar,

Can you please also let me know how to resolve issue of dot1x connectivity, when a user who has connected his laptop to a dot1x enabled port and the laptop is yet to boot.

Rgds,

Abhishek

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: