We've got an ACS 5.1 virtual appliance for device administration tasks and now we want to authenticate wireless domain users, but only by it's username/password, without trusting any CA certificates from the AD (is it required an ACS certificate too?).
Maybe there are some steps I have missed but I cant' locate where is the problem:
- The ACS is connected against AD correctly, as people from administrator group access successfully to device admin.
- AAA Clients are defined (autonomous APs) matching radius protocol
- Policy elements > Authorization > Network Access, a new profile has been created to guaranteed the access to the network with all the combos in the default value
- A new Access Policy > Access Service has been created (WIFI) matching protocols EAP-TLS (I think this is the problem)
- Identity is set to AD1
- Authorization has a rule with compound condition, matching AD1 -> External Group -> Wireless group, and Authorization Profiles set to the one created in step 3.
This is the configuration of the AP with the neccesary commands:
aaa group server radius rad_eap
server a.b.c.d auth-port 1812 acct-port 1646
server a.b.c.d auth-port 1645 acct-port 1646
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default group rad_eap local
!
dot11 vlan-name WPA vlan 199
dot11 ssid LABREDES_CERT
vlan 199
authentication open eap eap_methods
authentication network-eap eap_methods
guest-mode
mbssid guest-mode dtim-period 75
!
interface Dot11Radio0
encryption vlan 199 mode ciphers tkip
....
We have spent some days and nothing seems to work but nothing appears in the ACS log, and a debug (radius, aaa authentication) in the AP only shows (AAA/BIND(0000014E): Bind i/f )
Any help would be appreciated.