Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 4.1 and AD question

I work for a large school district that is using an ACS 4.1 appliance to authenticate users (staff members) to a wireless network using our Staff AD database. The problem we have, which is not major for our staff, is that when we set up a user for the first time to access the wireless network, they must log in on wired and then after that they can use the wireless properly. The first login cannot be validated wireless if the user does not already have a profile created on the laptop.

2 questions: Do we have something misconfigured and if so, what is preventing the users from being able to login and authenticate wireless initially?

Second (closely related to the first), we would like to be able to authenticate student logins wirelessly using a different ACS in their own AD domain. We will be deploying many new student laptops in a few months, however, the way it is set up now (see above) is not going to work for students because they might not use the same laptop from day to day and it would be counterproductive to have them log into the machine wired for the first login. It really defeats the purpose of wireless.

Any suggestions.

Thanks in advance.


Re: ACS 4.1 and AD question

It seems that you have configured machine authentication that is why they are not able to connect.

With machine auth user need to have machine cert installed on their laptops. And as of now it seems that you have set up auto enrollment in AD ie when user connects to the domain , AD sends the machine cert to the laptop.

So that is why new user have to connect to domain using LAN so that machine cert is enrolled, once cert is installed they can login from wireless.

To bypass it you can manually install machine cert on each client or disable machine auth.



Community Member

Re: ACS 4.1 and AD question

Thank you.

Next question: How do I manually install this cert on each machine?

CreatePlease to create content