WLAN with EAP-TLS-Authentication getting failed after first attempt

Unanswered Question
Mar 17th, 2010


we are using wlc 2106 and accesspoints LAP1242 and acs 4.2 with microsft win2003 as a CA.

Integrated acs with ad for user authentication using EAP-TLS (certificates).Installed the server certificate in ACS and selected the same in trust list also.

and installed the client certificate in dell laptop and tried.

Authentication is getting passed in first attempt after that it getting failed for all attempts,and error in acs is showing as "ACS user unknown".

please help me out.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fella Wed, 03/17/2010 - 07:28

What client side utility are you using for EAP-TLS?  First off, test using PEAP and see if that works since you have a server side certificate.  Remove the certificate from the client side also when testing.  Post how you have the client setup also.

amitkamat Wed, 03/17/2010 - 22:31

we are using wireless zero config,not using any utility.we have tested peap it is working fine.

clinet side config: Network authentication is wpa2,dat encryption is AES,

                          In authentication tab:selcetd eap type as smart card or other certificate

                          Eap properties:selcted use certificate on this computer,use simple certificate selection,valid server certificate and checked the

                          server certificate in the list.

Scott Fella Thu, 03/18/2010 - 04:47

What OS are you suing... XP, Vista or Windows 7.  If PEAP works fine and when you switch to EAP-TLS and that doesn't work, what changes have you made on the ACS side.... ACS has issues if you don't just specify EAP-TLS and you have other Authentication methods checked.  Here is a Cisco doc that shows you what you need to check and what shouldn't be checked:


Windows Vista & Windows 7 setup:


amitkamat Fri, 03/19/2010 - 01:26


I have done the setup as per attached doc.we are using windows xp.

I have gone through the link provided and those configurations are already done.

The issue is first attempt is passing the remain are failing.

Scott Fella Fri, 03/19/2010 - 08:31

On page 15... what else do you have on the system configuration above EAP-TLS?  ALso should your EAP Type be set to Smart Card or other Certificate

amitkamat Mon, 03/22/2010 - 04:28

EAP Type is selected as smart card or other certificates only and on top of EAP-TLS in sytem configuration tab PEAP is there.

Scott Fella Mon, 03/22/2010 - 05:37

Okay... the only time Ihave seen this issue is when you have multiple authentication methods specified int ACS.  What is happening, is that initially the handshake works, but on the second attempt, ACS isn't liking either the certificate installed on the client or the username cached is being sent wrong, which I doubt.  I wanted you to just try PEAP not EAP-TLS to see if that authentication method works, because that will rule out the server side certificate and username password.  All I can say now is to clrear out the authenticatin in ACS, restart the service and then confiugre EAP-TLS only and restrat ACS again.

amitkamat Mon, 03/22/2010 - 21:29

I Hope what you are saying is right,because EAP-FAST is also configured in ACS.But,if u can give clarification on my below question that wil be clear for me.

Q: when i saw the reports in ACS the logs are showing the same username in both failed and passed authentications.But the username used for certficate is not used for any other authentication method. and the error is showing "acs user unknown",this error will come only incase of username not available in ACS.But in our case we are using AD for authentication.

Even with other authentication method(i.e,EAP-FAST) also it should get authenticated from AD only,but why this (ACS user unknown) error is coming?

i am really confused.

Scott Fella Tue, 03/23/2010 - 04:06

Youhave to look at the profile you created... if the authentication matches the eap-fast policy.. nas-ip address or something... it will fail.  Again.... I understand that you should be allowed to use more than one authentication methods, but youhave to define the policy better.  Must be unique from one another or else once one of the policy matches and then next fails... well... ACS will reject the authentication.  Try to disable eap-fast and test... I bet your eap-tls will work.

amitkamat Mon, 03/29/2010 - 07:13


I have removed eap-fast and leap also,enabled only EAP-TLS.Though iam getting the same error(acs user unknown) in acs reports.

As i said earlier i am able to connect at first attempt later on i am not able to.And once i delete the dynamic user list then iam able to connect.

I have disabled the create dynamic user option in acs and tested though it failed.


amitkamat Tue, 03/30/2010 - 21:51


we are using windows xp with sp2.I will try to arrange the captures of wireshark if customer allows.

Roger Alderman Fri, 04/16/2010 - 06:22

This looks like an ACS configuration issue to me.

If the failure message is 'ACS User Unknown' then this would suggest that ACS is interrogating the internal database rather than handing off the request to AD.

Check that the remote agent is used by the ACS and that the external database configuration is correct.

Check also the logs on the remote agent.

I have just setup an EAP-TLS wireless network and we had issues with authentication but it was a version issue with the remote agent causing the problem.


This Discussion



Trending Topics - Security & Network