I recently installed ACS 5.1 + Cisco WLC 4402 and many LWAP1125 for our new EAP-TLS wireless security standard.
I'm trying to limit wireless access to specific security group in Active Directory.
According to ACS AAA Radius log, I can see ACS is sending correct username information to AD for reference but Active Directory doesn't recognize username within the security group.
Please see below for more details;
Evaluating Identity Policy
15006 Matched Default Rule
22037 Authentication Passed
22023 Proceed to attribute retrieval
24432 Looking up user in Active Directory - Wireless Tester
24412 User not found in Active Directory
22016 Identity sequence completed iterating the IDStores
My ACS configuration for Identity Store is to use certificate based authentication(Default CN Username) method against Active Direcotry.
Under Access Policies -> Service Selection Rule, I have one rule that permits the network access if Radius protocol is used and the user account is a member of specific security group.
I've been reviewing my configuration over and over but couldn't find any flaws. Is there a EAP-TLS deployment guide using ACS 5.1?
Thank you in advance for your help.