ACS appliance setup help

Unanswered Question
Feb 22nd, 2008
User Badges:

Network environment:

- Windows 2003 with enterprise CA

- Cisco ACS appliance

- Cisco 1240 AG series APs

Wireless clients:

- Windows XP SP2

Brief steps taken:

- Installed Enterprise CA

- Created copy of web server certificate with option “Mark keys as exportable” enabled. Certificate published.

- Created global group in AD that contains test user and a single laptop that is a member of domain - for auto enrolment.

- Generated certificate request from ACS (1024 key length).

- Submitted server request from ftp server - Submit a certificate request using base 64…

- Submitted CA certificate request from ftp server - Retrieve CA certificate or revocation list /base 64 encoded.

- CA & server certificates installed in to ACS appliance (Domain certificate authority approved within ACS)


Brief cofig of ACS appliance

Global config

- PEAP -Selected “Allow EAP-MSCHAPv2”.

- LEAP - Allow LEAP (For Aironet only)

- Selected “Allow MS-CHAP Version 1 & 2 authentication

- Added AAA client (AP) with shared secret with authentication using “Radius (Cisco Aironet)

- Under External user DB//DB config/windows database, “Enable PEAP machine authentication” selected.

1240 series AP config

- Under Server Manager, ACS IP with shared secret entered as a Radius server.

- Selected EAP authentication.

- Under SSID Manager selected open Authentication with EAP & selected network EAP.

- Under Encryption Manager selected WEP Encryption & mandatory.

- Selected key 1 and entered 128 bit key

Client (windows XP SP2 domain member) config

- Connected to Enterprise CA web site, base64 encoding/download CA certificate

and installed it in local computer store.

- Under Network authentication selected open with WEP EAP type “protected EAP (PEAP)

- Authenticate as a computer selected

- Selected my CA under “Trusted Certification Authorities

- Authentication method (EAP-MSCHAP V2)


Automatic certificate enrollment to local system failed to contact the AD. The specified domain does not exist or cannot be contacted.


Computer doesn't have correct certificate

Used 43486, 64067, 71929

Any suggestions very much apretiated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
m_popovic Sun, 02/24/2008 - 09:42
User Badges:

ACS Agent is installed on two DC's as well and they are detected by ACS.


m_popovic Tue, 02/26/2008 - 08:45
User Badges:

I've got it running. Most of the answers were in the doc # 43486.

Thank you


This Discussion