10-28-2013 09:47 AM - edited 03-10-2019 09:02 PM
Hello guys,
I am trying to test the wireless authentication and authorization with my wireless users via ACS 4.2. I have the 4.2 trial version on Windows 2003 for testing. I also have WLC 5508 and 3602i in my lab. My AD/NPS and CA are Windows 2008 R2.
The Windows 2003 is part of the domain; and on the ACS, if I go to External Databse > Database Configuration > Windows Database > Configure
From here I selected my domain, tick "Enalble EAP-TLS Machine Authentication". I also have mapped the domain to the group I created in ACS.
I also chaged the default RADIUS ports to 1812 and 1813 on the ACS.
On my WLC 5508, I created a WLAN and set the RADIUS IP to the ACS IP address. However, I tried to join the wireless network. It keep failing.
I have installed the user cert on the laptop for EAP-TLS. If I changed the RADIUS server on the WLAN and pointed it to AD/NPS that I have, my test laptop was able to join the wireless network via EAP-TLS.
I am a little confuse about the ACS TACACS+. Is TACACS+ used only for logging into network devices for management or can it be used for regular users for authentication and authorization?
For example, a wireless user, which is part of the domain, need to join a wireless enterprise network for his office work. Can I use TACACS+ for this or it has to be RADIUS via ACS 4.2?
Thanks
Solved! Go to Solution.
10-28-2013 01:05 PM
yes that's right and it applies to wired as well.
On the ACS, please add WLC as a AAA client with radius (Cisco airespace)
Configuring WLC and ACS for radius settings.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml
You may visit the below listed link to install certificate on ACS 4.2
~BR
Jatin Katyal
**Do rate helpful posts**
10-28-2013 11:09 AM
No, we can't use tacacs+ for wireless. It has to be radius.
So have you added wireless controller on ACS as a radius aaa client?
What all certificates have you installed on ACS server?
What error message are we getting when you point WLC towards ACS and try to authenticate wireless users?
~BR
Jatin Katyal
**Do rate helpful posts**
10-28-2013 12:45 PM
if I understand you correctly, tacacs+ is not used for client wireless authentication. Am I right? I am assuming this is also applies to wired users.
Yes, I added the WLC 5508 as a radius client "RADIUS (Cisco IOS/PIX 6.0)."
This is the log that I got from the ACS:
Date | Time | Message-Type | User-Name | Group-Name | Caller-ID | Network Access Profile Name | Authen-Failure-Code | Author-Failure-Code | Author-Data | NAS-Port | NAS-IP-Address | Filter Information | PEAP/EAP-FAST-Clear-Name | EAP Type | EAP Type Name | Reason | Access Device | Network Device Group |
10/28/2013 | 14:25:31 | Authen failed | client01@aaeng.local | Default Group | 44-94-fc-5b-21-19 | (Default) | EAP_TLS Type not configured | 1 | 172.28.255.42 | RK2WLC5508-01 | ||||||||
10/28/2013 | 14:25:35 | Unknown NAS | (Unknown) | 172.28.255.42 | ||||||||||||||
10/28/2013 | 14:26:26 | Authen failed | client01@aaeng.local | Default Group | 44-94-fc-5b-21-19 | (Default) | EAP_TLS Type not configured | 1 | 172.28.255.42 | RK2WLC5508-01 |
I am not sure how to install the CA into ACS.
10-28-2013 01:05 PM
yes that's right and it applies to wired as well.
On the ACS, please add WLC as a AAA client with radius (Cisco airespace)
Configuring WLC and ACS for radius settings.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml
You may visit the below listed link to install certificate on ACS 4.2
~BR
Jatin Katyal
**Do rate helpful posts**
10-28-2013 03:39 PM
Thanks. The link you have provided helps me to make EAP-TLS wireless working
Sent from Cisco Technical Support iPhone App
10-28-2013 03:54 PM
Wonderful. Thanks for sharing!!!
~BR
Jatin Katyal
**Do rate helpful posts**
10-29-2013 06:50 AM
I have another question regarding the passwords for my servers.
Since I joined my Windows 2003 with ACS 4.2 to the domain, my admin password for my AD/NPS and CA servers have changed to the Windows 2003 admin password.
Is this normal?
Sent from Cisco Technical Support iPhone App
10-30-2013 06:10 AM
that's nothing to do with ACS joining AD (Domain). This is not a default behaviour.
~BR
Jatin Katyal
**Do rate helpful posts**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide