Showing results for 
Search instead for 
Did you mean: 

ACS Certification & Identity Stores


We have Cisco AP set up around our buiding. We also have a Cisco ACS server set up. Some of our domain users are able to go our customers sites which are on different domains and are thier work laptops to gain access to thier own domains. I know the customers are using RADAIUS and ARUBA.

I have been asked if we can allow customers to come to this office and allow then to log onto thier laptops, connect remotly through our wireless and let them connect to thier domain.

I believe this is possible through the ACS server, The ACS server would have the customer domain name configured in user and identity, Radius identity servers. The user would log in and authenticate and would be directed through a different vlan to the cust AD. Unfortunatly I am not an expert on the ACS and to be honest this is my first time that I have ever used this or set up wireless.

I have set up a test AP that is connected to the ACS. We have a Windows 7 laptop that is not on the co-perate domain that I am having issues connecting to the ACS.

The first problem was that the ACS sees the laptop and issues a certificate error -

12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate : Authentication failed

I resolved this by unticking the Validate server certificate box in changing the Protected EAP Properties

I then tried to connect and now recieve the

22056 Subject not found in the applicable identity store(s). : Authentication failed

I am currently going through the ACS manual, I understand that the ACS needs to authenticate the host (laptop) first. I will be using the external identity store as the laptop is not on the coperate domain, I cannot use LDAP, AD, RSA as an external identity store.

My questions are below and I would be grateful for any feedback

1, Can I use the Radius Identity Server?

2, Would I need to use certificates as well an external identity store, or can I use just the one.


Content for Community-Ad