Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
575
Views
0
Helpful
1
Replies

Dynamic ACL with PEAP-MSCHAPv2 and EAP-TLS

Richard Atkin
Level 4
Level 4

‎06-27-2007 12:00 PM - edited ‎07-03-2021 02:16 PM

Hi All..

Using WLC 4.0.171.0 with a WPA / 802.1x SSID, backing off to ACS SE v4.1, which backs off to Win2k3 domain.

The SSID utilises the AAA Override function, which is used to apply Access Control Lists. The ACLs change dependent upon whether a Machine Account or User Account is used to log in.

All of this works brilliantly with PEAP-MSCHAPv2, but when EAP-TLS (using machine cert / user smartcard) is used, the ACL doesn't seem to change.

ACS logs the authentication as being successful in both circumstances, and both EAP types are allowed on ACS, so I'm thinking that either;

(A) There's a bug on ACS?

or

(B) That the WLC is misbehaving?

Finally, is there a WLC command that allows me to see what ACLs are actually applied to what user? This would allow me to see if the WLC is actually changing the ACL, or not.

Thanks all,

Richard..

Labels:
0 Helpful
1 Reply 1

lisa.hall
Level 2
Level 2

‎07-03-2007 11:21 AM

Becuase EAP-TLS doesnt have username or password but contians only with certificates it will not work. PEAP has an option for using username and passwords.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card