ACS 5.1 Active Directory EAP-TLS

Unanswered Question
Jun 7th, 2010


I am trying to use ACS 5.1 with Active Directory and do 802.1X EAP-TLS for wired and wireless access. We need to map users to an identity group to assign VLANs, dACLs, etc., but having an issue mapping a certificate based user to AD attributes. When the user/machine presents a certificate the Identity Rule matches based on cert and doesn't seem to process AD attributes like group membership. In the User Guide it states that it supports 'Certificate Retrieval for EAP-TLS Authentication' but doesn't really give any direction on how to configure.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jason Granat Mon, 06/07/2010 - 12:01

N/M, I forgot to include the additional attribute retrieval search list in the identity store
sequence It is working now.

nhan.duong Wed, 08/11/2010 - 08:28

hey Jason,

I am trying to configure the samething EAP-TLS with AD.

Can you share some screenshoot of "local certificate,  CA authority, and Certification profile?  Does the user certificate have to locate in AD for verify?



g.raymakers Tue, 11/30/2010 - 11:42

Could you perhaps share some of the config info - I'm trying to do just the same thing?

Many Thanks,


Jason Granat Wed, 12/01/2010 - 09:02

Sorry I missed your questions. Attaches is a screenshot. I initially missed the lower section "Additional Attribute Retrival Search List"


This Discussion