×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACS 5 for Wireless Access

Unanswered Question
Jun 27th, 2012
User Badges:

We've got an ACS 5.1 virtual appliance for device administration tasks and now we want to authenticate wireless domain users, but only by it's username/password, without trusting any CA certificates from the AD (is it required an ACS certificate too?).


Maybe there are some steps I have missed but I cant' locate where is the problem:


  1. The ACS is connected against AD correctly, as people from administrator group access successfully to device admin.
  2. AAA Clients are defined (autonomous APs) matching radius protocol
  3. Policy elements > Authorization > Network Access, a new profile has been created to guaranteed the access to the network with all the combos in the default value
  4. A new Access Policy > Access Service has been created (WIFI) matching protocols EAP-TLS (I think this is the problem)
    1. Identity is set to AD1
    2. Authorization has a rule with compound condition, matching AD1 -> External Group -> Wireless group, and Authorization Profiles set to the one created in step 3.


This is the configuration of the AP with the neccesary commands:


aaa group server radius rad_eap

server a.b.c.d auth-port 1812 acct-port 1646

server a.b.c.d auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default group rad_eap local

!

dot11 vlan-name WPA vlan 199

dot11 ssid LABREDES_CERT

   vlan 199

   authentication open eap eap_methods

   authentication network-eap eap_methods

   guest-mode

   mbssid guest-mode dtim-period 75

!

interface Dot11Radio0

  encryption vlan 199 mode ciphers tkip

....


We have spent some days and nothing seems to work but nothing appears in the ACS log, and a debug (radius, aaa authentication) in the AP only shows (AAA/BIND(0000014E): Bind i/f  )


Any help would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jesus.pavon Fri, 06/29/2012 - 05:23
User Badges:

Hi again, the problem is almost reolved.


Now the problem is with machine authentication, it does not works. We have checked options for machine authentication in the Active Directory Store, the Host lookup in Access Service Protocol, and we have 2 rules in the Access Service Authentication, first for System:Username starts with "host/" (without quotes) and the second for "Was machine authenticated" and Compound condition matchin username.


This way, it does not works, but when I don't pay attention in machine authentication it does works.


I have readed multiple "PEAP Machine Authentication" issues in the forum but nothing works in my case.


Any help please.

Actions

This Discussion