ACS v5.1 - EAP-TLS not allowed under PEAP?

dal · ‎09-13-2010

Hello again!

As mentioned in another post here, I'm trying to set up both machine authentication and user authentication. But I'm puzzled by one of the Failure Reasons ACS gives me:

Failure Reason :

12752 Failed to negotiate EAP for inner method because EAP-TLS not allowed under PEAP configuration in Access Service.

"The client's supplicant sent an EAP-Response/NAK packet rejecting the EAP-based protocol that was previously proposed for the inner method, and requested to use EAP-TLS instead. However, ACS does not allow EAP-TLS under PEAP configuration in the Allowed Protocols section of the corresponding Access Service."

Resolution Steps

"Ensure that the EAP-TLS protocol is allowed by ACS under PEAP configuration in the Allowed Protocols section of the relevant Access Service."

The problem is; how do I turn on EAP-TLS under Peap? I'm not able to find any place where I can do that. Sure, I can enable PEAP, but there are no EAP-TLS choice under there, just MS-CHAP v2 and GTC.

Any tips?

Thank you.

Yudong Wu · ‎09-14-2010

ACS v5.1 does not support EAP-TLS.

In v5.0, you can see only PEAP with MSCHAPv2 is supported in the link below.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/guide/migrate.html#wp1052549

In ACS5.1, PEAP with GTC is added.

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/release/notes/acs_51_rn.html#wp113551

I did not see EAP-TLS is in ACS 5.1.

dal · ‎09-17-2010

Hi, and thanks for answering.

Yes, there seems to be a lot missing in this peace of software, I'm *this* close to letting it go, and find another RADIUS server to use.