02-22-2008 06:26 AM - edited 03-10-2019 03:40 PM
Network environment:
- Windows 2003 with enterprise CA
- Cisco ACS appliance 4.1.1.23
- Cisco 1240 AG series APs
Wireless clients:
- Windows XP SP2
Brief steps taken:
- Installed Enterprise CA
- Created copy of web server certificate with option âMark keys as exportableâ enabled. Certificate published.
- Created global group in AD that contains test user and a single laptop that is a member of domain - for auto enrolment.
- Generated certificate request from ACS (1024 key length).
- Submitted server request from ftp server - Submit a certificate request using base 64â¦
- Submitted CA certificate request from ftp server - Retrieve CA certificate or revocation list /base 64 encoded.
- CA & server certificates installed in to ACS appliance (Domain certificate authority approved within ACS)
-
Brief cofig of ACS appliance
Global config
- PEAP -Selected âAllow EAP-MSCHAPv2â.
- LEAP - Allow LEAP (For Aironet only)
- Selected âAllow MS-CHAP Version 1 & 2 authentication
- Added AAA client (AP) with shared secret with authentication using âRadius (Cisco Aironet)
- Under External user DB//DB config/windows database, âEnable PEAP machine authenticationâ selected.
1240 series AP config
- Under Server Manager, ACS IP with shared secret entered as a Radius server.
- Selected EAP authentication.
- Under SSID Manager selected open Authentication with EAP & selected network EAP.
- Under Encryption Manager selected WEP Encryption & mandatory.
- Selected key 1 and entered 128 bit key
Client (windows XP SP2 domain member) config
- Connected to Enterprise CA web site, base64 encoding/download CA certificate
and installed it in local computer store.
- Under Network authentication selected open with WEP EAP type âprotected EAP (PEAP)
- Authenticate as a computer selected
- Selected my CA under âTrusted Certification Authorities
- Authentication method (EAP-MSCHAP V2)
Errors:
Automatic certificate enrollment to local system failed to contact the AD. The specified domain does not exist or cannot be contacted.
Or
Computer doesn't have correct certificate
Used 43486, 64067, 71929
Any suggestions very much apretiated.
02-24-2008 09:42 AM
ACS Agent is installed on two DC's as well and they are detected by ACS.
Thanks
02-26-2008 08:45 AM
I've got it running. Most of the answers were in the doc # 43486.
Thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: