Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.2 EAP-TLS Binary Certificate Comparison via LDAP

Hello together,

i have a wireless deplyoment with WLC 5508, ACS 5.2 and several AD connected by LDAP. It is required that users are authenticated by certificates additional the user should only get access to the wireless environment when the user is found in a certain security group in the Microsoft AD forrest.

The certificate based authentication is working without any problems, except the lookup into the AD isn't working. Here are the Details of the "Evaluting Identity Policy"

Evaluating Identity Policy

15004  Matched rule

22037  Authentication Passed

22023  Proceed to attribute retrieval

24031  Sending request to primary LDAP server

24016  Looking up user in LDAP Server - Alex Dersch

24008  User not found in LDAP Server

22015  Identity sequence continues to the next IDStore

24209  Looking up Host in Internal Hosts IDStore - Alex Dersch

24217  The host is not found in the internal hosts identity store.

22016  Identity sequence completed iterating the IDStores

but the user can access the WLAN just without verifying the user in the AD.

i tried the to enable Binary Comparisation but then the Authentication is not working any more. I get the same Identity Policy result as above.

i configured the Binary Comparisation as below:

pic1.JPGpic2.JPGpic3.JPG

I though with the binary comparisation i'll be able to verify the existance and the status of an user in the Active Directory. Am I wrong?

regards

alex

1 REPLY
Silver

ACS 5.2 EAP-TLS Binary Certificate Comparison via LDAP

Hello Alex,

Can you share a screenshot of your Authorization Rules? NOTE: the ones that refer to the AD Group Membership of the user.

I am assuming the ACS "Default" Rule is set to Permit Access when it should be set to Deny Access.

If this was helpful please rate.

Regards.

1003
Views
0
Helpful
1
Replies