wlc 5760 integeration with ACS

CSCO11256353 · ‎02-17-2014

Guys i am integerating WLC5750 with the ACS server which is integerated with our LDAP.

I did below configuration on the WLC:

aaa new-model

aaa group server radius ACS

server name ACS

aaa authentication dot1x ACS group ACS

aaa session-id common

radius server ACS

address ipv4 100.100.100.100 auth-port 1645 acct-port 1646

key cisco123

for the ACS part it is already integerated with my LDAP.

i have defined the service selection rule under access policies.

Also the default network access identity and authorization are both configured.

also in Default network access -> allowed protocols -> i have checked Allow EAP-FAST as well.

i am not sure what i am missing.

Amjad Abdullah · ‎02-17-2014

Look at ACS logs and see what they say about the failure.

Rating useful replies is more useful than saying "Thank you"

Rasika Nayanajith · ‎02-17-2014

Hi

Looks like "dot1x system-auth-control" is missing.

Pls see the below config example

External RADIUS EAP with 5760/3850

Also refer this post as well. It is for 5760 integration with ISE. Stilll may be helpful as concept is same on 5760 end.

Configuring RADIUS on 5760

HTH

Rasika

**** Pls rate all useful responses ****

CSCO11256353 · ‎02-17-2014

it is already there, i checked the configuration.

the example you gave is with ISE.

in my setup i have WLC integerated to ACS 5.3 which is integerated with LDAP.

all examples I have seen are with with internal data stores.

Please share with me if you have doc related to that.

Rasika Nayanajith · ‎02-17-2014

Hi

First example given is with ACS 5.2

There is also given how to run a debug for a particular client MAC. Try that & see what's happening.

Also suggest, first create a local user on ACS & check if that works. Then you know there is no issue with WLC & ACS. If that works that mean intergration with ACS to LDAP having issues.

As Amjad suggested, look at the ACS detail log of the client failure (Monitoring & Report-> Monitoring & Report Viewer -> AAA Protocol -> Radius Authentication)

HTH

Rasika

**** Pls rate all useful responses ****

CSCO11256353 · ‎02-17-2014

that sounds like a plan, will do that and update you tomorow.

Rasika Nayanajith · ‎02-17-2014

Also refer this video on "Windows AD as LDAP server on Converged Access controllers"

https://supportforums.cisco.com/videos/8028

Note: It did not play on my computer, may be my computer issue, you can give it a try

Rasika

*** Pls rate all useful responses ****

CSCO11256353 · ‎02-18-2014

i have check the logs on ACS server and below is the Failure Reason:

11514 Unexpectedly received empty TLS message; treating as a rejection by the client

i want the clients to use PAP_ASCII protocol but they are using PEAP for which some sort of certificate is required i believe.

CSCO11256353 · ‎02-18-2014

my requirement for the tasks are simple:

i want users to connec to the SSID, once connected they will open browser to enter username and password.

This username and password is the same as of the LDAP, once authenticated they can use network resources.

Joseph Vasanth Louis · ‎03-01-2014

i have a couple of questions.

is the ldap used as l2 security for the ssid? or is it used for the webauth?

the error message is generally when the supplicant does not have the CA. you can try disabling server certificate verification on the client to check if there is an issue with the certs.

Naveen Kumar · ‎02-26-2014

please have a look on the Configuration Examples, It may help you:

http://www.cisco.com/c/en/us/support/security/secure-access-control-server-windows/products-configuration-examples-list.html

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html#intro