EAP-TLS machine auth - no AD

Unanswered Question
Mar 13th, 2008
User Badges:

Hi, I have a test environment with Light weight Access Points, 4404 WLC, ACS v4.0, a stand-alone CA and XP wireless clients. Can I get EAP-TLS with machine authentication(certificate based) without requiring an external AD database?

I am getting authentication traffic between the wireless client and the ACS but currently getting an authentication failure code on ACS log saying "external DB not available"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fella Thu, 03/13/2008 - 17:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Did you load the certificate on the machines first? If you are using username and password, then you can set that up in ACS. Do you have ACS setup for external DB and not local DB?

fieus Mon, 04/28/2008 - 06:06
User Badges:

I'm trying to do the same thing without success.

WLC 4404, ACS v3.3, enterprise CA and XP SP2 wireless clients.

I configured the System Conf -> Global Auth Setup for EAP-TLS with SAN/CN/Binary comparison, but then the ACS log complains about "external DB not available"

http://www.cisco.com.ru/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user/o.htm talks about "EAP Authentication Protocol and User Database Compatibility" in table 1.3. From my point of view EAP-TLS should be configurable using the internal ACS db.

Thanks for your support!


taelon_x7 Wed, 05/14/2008 - 11:35
User Badges:

Sounds like you have ACS configured to check an external database if the user authentication fails.


This Discussion



Trending Topics - Security & Network