Anyone got ACS SE 4.2.1 authenticating against server 2008 R2 via LDAP?

Unanswered Question
May 18th, 2010

Hi, I'm working on a new network implementation where the customer has ACS SE and wants to use AD for machine based authentication of wired 802.1x clients.

As the support for 2008 R2 server (64-bit OS used here) using remote agent is not yet released they are attempting to set this up using an LDAP connection. The final goal is to use certificate based authentication, and I have had a message indicating this authentication type may not work due to an issue with binary comparison, so we started with basic username/password accounts first.

So far the ACS is populating its external user database fields with the domains setup on AD, but user authentication is failing.

Briefly we started with basic username/password usng MD5-CHAP on XP to an account configured on ACS, that worked fine. Then set up the external user database to use an LDAP connection to AD, and an unknown user policy, this dosent work. It looks like the issue could be do with the LDAP attributes not being set correctly.

Has anyone used LDAP as an authentication mechanism against 2008 R2 based AD and got it working?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
aacole Tue, 05/18/2010 - 02:13

To update this, the ACS is reporting the following error in the failed attempts report:

`Authentication type not supported by External DB'

The machine name is seen in the same log entry, so the assumption is made that at least this request is being forwarded to AD, but AD isn't listening.

Jatin Katyal Tue, 05/18/2010 - 02:58

Aacole,


The above error message says that your external database that is LDAP doesn't support EAP-MD5 and that is quite true.


You may check the below listed link for protocol and database compatibility.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp824733


Since you are using LDAP its only supports EAP-GTC.


Do let me know if you need any further suggestions.


Regds,

JK


Do rate helpful posts-

Actions

This Discussion