802.1x with AD support via ACS 4

serco2650 · ‎02-05-2009

Hello ,

I have been trying to configure 802.1x Authentication on a test switch . Authentication will be provided by the ACS server . This worked when I had the client setup for EAP-MD5 and had local user accounts on the ACS server . However this is impractical if we were to deploy this on a large scale. How can i configure 802.1X authentication to occur via the ACS with the ACS looking at the AD database . The trouble is AD does not support EAP-MD5. It supports PEAP but the problem I am having is "EAP-TLS or PEAP authentication failed during SSL handshake "

Has anyone here setup 802.1x with AD integration via ACS 4.0 . Please help.

Thanks.

Karthik

Jagdeep Gambhir · ‎02-06-2009

Karthik,

With AD we need to use PEAP. There error we are getting is due to certificate. Please uncheck validate server certificate in wireless client and try to authentication.

Regards,

~JG

Do rate helpful posts

andypalfrey · ‎02-10-2009

Hi Karthik,

The SSL handshake will fail in our experience for any of the following reasons:

- The supplicant cannot access the private key corresponding to it's certificate - check that the system a/c has pemissions over the private key found in c:\documents and settings\all users\application data\microsoft\crypto\rsa\machine keys

- The ACS sever does not trust the Root Certificate for the PKI that issued the supplicants certificate - Is the Supplicants Root CA present in the ACS Certificate Trust List?

- CRL checking is enabled and the CRL has expired or is inaccessible

If you up the logging levels to full and examine the csauth log closely you should get more detail as to the reason

Hope that helps

Andy