eap-tls configuration assistance

Unanswered Question
Jul 12th, 2009
User Badges:

I am trying to get eap-tls working on my wireless network, with machine authentication. I have followed the numerous configuration guides on CCO but seem to be running around in circles. So can someone please give me a sanity check.


MS CA (Windows 2008 Server)

MS DC (Windows 2003 Server)

ACS 4.2 (Windows 2003 Server)

WLC 4402 (5.2)


Client MS XP SP3

I have confirmed that the certficates are valid on both the ACS and client.

The problem I have is, I see the client associate, but fails authentication. I look in the ACS failed log attempts, I see:

13/07/2009 11:19:17 Authen failed host/e26458.internal.company Default Group 00-12-F0-82-77-2D (Default) External user not found .. .. 1 .. .. 13 EAP-TLS .. TWLC01 CITY

I have configured ACS for Unkown User Policy and have the client e26458 in AD.

I would like some advice from some people who have successfuly implemented EAP-TLS, as I have hit a brick wall. I have attached the results of the debug aaa events enable,debug aaa detail enable,

debug dot1x events enable,debug dot1x states enable on the WLC.

frustratingly yours

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jicr Mon, 07/13/2009 - 09:32
User Badges:

I am unable to open the attachment, anyway let me tell you few things which you should conform while using certificates.

1. Both your client and server certificates should be from same authority

2. You should have the same username in which the certificate issued should be in your ACS database.

3. Conform the validity of both your CA and device certificate

Just to conform this is not an issue with your ACS server you can install the cert in your controller and try to authenticate the client using local auth.If this works then your certs are perfect and verify your ACS configurations

m.carrington Mon, 07/13/2009 - 12:41
User Badges:

1. Both the client and servers certs are from the same CA and are valid.

2. I thought with eap-tls you configure ACS to use unknown user policy, referencing the external database which in my senario is AD.

raun.williams Wed, 07/15/2009 - 10:33
User Badges:

I've mapped groups to AD Security Groups for the external configuration. This allows me to divide my medical devices from typical user devices and smartphones ect all through a single ssid and pass different airespace attributes for dynamic interfaces and qos settings

m.carrington Wed, 07/15/2009 - 20:52
User Badges:

Which magical guide did you use to get it working ? I am not getting that far.Im failing authentication, see op for log details.

I know my ACS is talking to my AD correctly because I configured PEAP, using our CA cert on ACS authenticating into our AD.

I just cannot get EAP-TLS working using machine authentication. The ACS is not trying to talk to AD even though the logs are showing External user not found. If it is failing due to certiface problem, surely the ACS would have a failed certificate message in the failed logs ?



This Discussion



Trending Topics - Security & Network