Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

802.1x with AD support via ACS 4

Hello ,

I have been trying to configure 802.1x Authentication on a test switch . Authentication will be provided by the ACS server . This worked when I had the client setup for EAP-MD5 and had local user accounts on the ACS server . However this is impractical if we were to deploy this on a large scale. How can i configure 802.1X authentication to occur via the ACS with the ACS looking at the AD database . The trouble is AD does not support EAP-MD5. It supports PEAP but the problem I am having is "EAP-TLS or PEAP authentication failed during SSL handshake "

Has anyone here setup 802.1x with AD integration via ACS 4.0 . Please help.

Thanks.

Karthik

2 REPLIES

Re: 802.1x with AD support via ACS 4

Karthik,

With AD we need to use PEAP. There error we are getting is due to certificate. Please uncheck validate server certificate in wireless client and try to authentication.

Regards,

~JG

Do rate helpful posts

New Member

Re: 802.1x with AD support via ACS 4

Hi Karthik,

The SSL handshake will fail in our experience for any of the following reasons:

- The supplicant cannot access the private key corresponding to it's certificate - check that the system a/c has pemissions over the private key found in c:\documents and settings\all users\application data\microsoft\crypto\rsa\machine keys

- The ACS sever does not trust the Root Certificate for the PKI that issued the supplicants certificate - Is the Supplicants Root CA present in the ACS Certificate Trust List?

- CRL checking is enabled and the CRL has expired or is inaccessible

If you up the logging levels to full and examine the csauth log closely you should get more detail as to the reason

Hope that helps

Andy

172
Views
0
Helpful
2
Replies