Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 3.3 PEAP authentication problem

Hello,

We're running ACS 3.3 on a Windows 2003 server. We're using this server for Radius and integrating a Windows database.

Our wireless clients use PEAP to authenticate.

Suddenly none of our wireless clients can authenticate throughout our enterprise, which is turning out to be quite a serious problem.

Our configuration hasn't changed. I'm wondering if something happened to our certificate. We're using a self signed certificate that we generated via ACS.

Can I simply issue a new cert via ACS and see what happens?

I'm really in a bind right now.

Thanks

12 REPLIES

Re: ACS 3.3 PEAP authentication problem

Self sign certs are only valid of one year. Since all wireless users cant connect, I believe that ACS cert has expired.

Please go ahead and install new SSCert.

Regards,

~JG

Do rate helpful posts

New Member

Re: ACS 3.3 PEAP authentication problem

Thanks JG,

So simply going into ACS, System Config, Generate new Self Signed Cert, and then installing it may solve the problem?

Will this effect any other settings?

Thanks,

John

Re: ACS 3.3 PEAP authentication problem

Yes, that is all we need to do. It will not effect any other settings.

Regards,

~JG

New Member

Re: ACS 3.3 PEAP authentication problem

Hello JG,

You are correct, thanks. Just paranoid, I guess.

In the ACS System Configuration to generate a new self signed cert, I want to make sure I don't need to change the any of the fields that are already entered. It looks like I just need to enter the private key password, and then check the box to "Install generated Certificate", and submit.

Thanks,

John

Re: ACS 3.3 PEAP authentication problem

Yes, John.

That will do it.

Regards,

~JG

New Member

Re: ACS 3.3 PEAP authentication problem

Well JG, I was hoping for the best, but we're still having authentication problems.

We're getting "External DB Account Restriction" errors. I already went through all the posts for this error.

Do you have any experience with this error?

Thanks,

John

Re: ACS 3.3 PEAP authentication problem

John,

That error comes due to permission issue. Make sure accounting running remote agent / or acs services, should have domain admin rights.

Configuring for Member Server Authentication

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/installation/guide/windows/postin.html#wp1041304

Regards,

~JG

New Member

Re: ACS 3.3 PEAP authentication problem

JG,

Is this documant also applicable to ACS 3.3? Thanks, it has a lot of good info in it. I'm going over it now.

We're running ACS on a Domain Controller and all ACS services are using the Domain Admin account to login.

Anything else it could be?

Thanks,

John

Re: ACS 3.3 PEAP authentication problem

John,

Please check your group mapping. It may be possible that user is getting mapped to disabled group.

If that is not the issue then we need to see auth.log , that will tell us what is the reason for failure.

Increase the loggin level to full and recreate the issue and see auth.log

Regards,

~JG

New Member

Re: ACS 3.3 PEAP authentication problem

Sorry, where exactly in ACS do I increase the logging level to full.

Thanks for your help.

John

New Member

Re: ACS 3.3 PEAP authentication problem

JG,

We wound up installing ACS on another server, but I'm sure it was a Windows permission issue as you pointed out. We didn't have enough time to investigate further.

Thanks,

John

Re: ACS 3.3 PEAP authentication problem

John,

I hope installing acs on another server, fixed it.

All the best !

Regards,

~JG

228
Views
24
Helpful
12
Replies