Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6050
Views
57
Helpful
18
Replies

ACS 5.1, PEAP (EAP-GTC) Machine Authentication with LDAP

cuellar52
Level 1
Level 1

‎08-20-2012 10:41 PM - edited ‎03-10-2019 07:26 PM

Hi,

I have a

  • Cisco 5508 wireless controller
  • Cisco ACS 5.1
  • LDAP connection

I have setup the wireless controller to do RADUIS authentication with the ACS 5.1 using LDAP. The setup is currently working, Brief info below on setup.

I setup the PC client to use WPA2-Enterprise AES and authentication method CISCO PEAP. When I connect to the SSID this will prompt for a username and password. I will enter in my AD details and the ACS with the LDAP connection will authenicate and on the network I go.

Now I want to add machine authentication with CERTIFICATES, each laptop and pc in our network has CA certificates installed.

Can someone please explain a way that I can add these certificates into the ACS 5.1 so I pretty much want to import them into the ACS. Once they are imported inside I want the ACS to check that the certificates are on the PC and then prompt for the AD username and password, and only once it meets these two conditions it allows the workstation onto the network.

So it will be a two form authentication one with certificates and the other ldap.

Can anyone help me out with the certificate aspect? to incorprate this into my already working LDAP setup?

Labels:
0 Helpful
18 Replies 18

Tarik Admani
VIP Alumni
VIP Alumni
In response to Anim Saxena

‎09-18-2012 10:00 PM

Edgardo,

My apologies I posted the wrong link

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml#wp39121

Thanks,

Sent from Cisco Technical Support iPad App

abpsoft
Level 1
Level 1
In response to cuellar52

‎09-19-2012 11:29 AM 

Edgardo Cuellar wrote:
 is there anyway we can import this template into 2008 R2 server?

W2k8R2 CA refusing to accept the ACS certificate request was something I wasted two hours on yesterday. The final answer to make it work was to use certreq through CMD, supplying the webserver template:

certreq -attrib "CertificateTemplate:webserver" –submit ssl.req

As Tarik already stated, the webserver template is perfectly Ok. There was just the question of how to retrofit it onto a CSR missing the MS extension to request it in the first place, and the only thing I came up with was the above statement.

HTH,

Andre.

cuellar52
Level 1
Level 1
In response to abpsoft

‎09-19-2012 08:16 PM

Hi Guys,

thanks for all the replies the correct link is def what i was after, and the information from abpsoft looks like it will help out alot. My only issue is I am the network engineer and trying to get the server and systems team to help with the certicate is being a pain.

I'll message you privately Andre maybe you could help me out?

0 Helpful

scrye
Level 1
Level 1
In response to Tarik Admani

‎10-17-2012 02:21 PM

Thanks Tarik;

I had that annoying

"This System Failure occurred: Certificate is associated with a protocol.  Hence it cannot be deleted.. Your changes have not been save. Click OK  to return to the list page."

problem. We are mucking around with installing real certs from GeoTrust and naturally did not get it right the first time, and had to delete.

The easy fix was to take the self-signed local cert and add EAP to the proto. That let me delete the experimental GeoTrust cert, which had been configed with only EAP.

Thanks!

Steve

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents