Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ACS Wireless Authentication

Hello guys,

I am trying to test the wireless authentication and authorization with my wireless users via ACS 4.2. I have the 4.2 trial version on Windows 2003 for testing. I also have WLC 5508 and 3602i in my lab. My AD/NPS and CA are Windows 2008 R2.

The Windows 2003 is part of the domain; and on the ACS, if I go to External Databse > Database Configuration > Windows Database > Configure

From here I selected my domain, tick "Enalble EAP-TLS Machine Authentication". I also have mapped the domain to the group I created in ACS.

I also chaged the default RADIUS ports to 1812 and 1813 on the ACS.

On my WLC 5508, I created a WLAN and set the RADIUS IP to the ACS IP address. However, I tried to join the wireless network. It keep failing.

I have installed the user cert on the laptop for EAP-TLS. If I changed the RADIUS server on the WLAN and pointed it to AD/NPS that I have, my test laptop was able to join the wireless network via EAP-TLS.

I am a little confuse about the ACS TACACS+. Is TACACS+ used only for logging into network devices for management or can it be used for regular users for authentication and authorization?

For example, a wireless user, which is part of the domain, need to join a wireless enterprise network for his office work. Can I use TACACS+ for this or it has to be RADIUS via ACS 4.2?

Thanks

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Cisco ACS Wireless Authentication

yes that's right and it applies to wired as well.

On the ACS, please add WLC as a AAA client with radius (Cisco airespace)

Configuring WLC and ACS for radius settings.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

You may visit the below listed link to install certificate on ACS 4.2

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/peap_tls.html

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
7 REPLIES
Cisco Employee

Cisco ACS Wireless Authentication

No, we can't use tacacs+ for wireless. It has to be radius.

So have you added wireless controller on ACS as a radius aaa client?

What all certificates have you installed on ACS server?

What error message are we getting when you point WLC towards ACS and try to authenticate wireless users?

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Cisco ACS Wireless Authentication

if I understand you correctly, tacacs+ is not used for client wireless authentication. Am I right? I am assuming this is also applies to wired users.

Yes, I added the WLC 5508 as a radius client "RADIUS (Cisco IOS/PIX 6.0)."

This is the log that I got from the ACS:

DateTimeMessage-TypeUser-NameGroup-NameCaller-IDNetwork Access Profile NameAuthen-Failure-CodeAuthor-Failure-CodeAuthor-DataNAS-PortNAS-IP-AddressFilter InformationPEAP/EAP-FAST-Clear-NameEAP TypeEAP Type NameReasonAccess DeviceNetwork Device Group
10/28/201314:25:31Authen failedclient01@aaeng.localDefault Group44-94-fc-5b-21-19(Default)EAP_TLS Type not configured

1172.28.255.42




RK2WLC5508-01
10/28/201314:25:35Unknown NAS


(Unknown)



172.28.255.42






10/28/201314:26:26Authen failedclient01@aaeng.localDefault Group44-94-fc-5b-21-19(Default)EAP_TLS Type not configured

1172.28.255.42




RK2WLC5508-01

I am not sure how to install the CA into ACS.

Cisco Employee

Cisco ACS Wireless Authentication

yes that's right and it applies to wired as well.

On the ACS, please add WLC as a AAA client with radius (Cisco airespace)

Configuring WLC and ACS for radius settings.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

You may visit the below listed link to install certificate on ACS 4.2

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/peap_tls.html

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: Cisco ACS Wireless Authentication

Thanks. The link you have provided helps me to make EAP-TLS wireless working

Sent from Cisco Technical Support iPhone App

Cisco Employee

Re: Cisco ACS Wireless Authentication

Wonderful. Thanks for sharing!!!

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: Cisco ACS Wireless Authentication

I have another question regarding the passwords for my servers.
Since I joined my Windows 2003 with ACS 4.2 to the domain, my admin password for my AD/NPS and CA servers have changed to the Windows 2003 admin password.

Is this normal?

Sent from Cisco Technical Support iPhone App

Cisco Employee

Re: Cisco ACS Wireless Authentication

that's nothing to do with ACS joining AD (Domain). This is not a default behaviour.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
281
Views
0
Helpful
7
Replies
CreatePlease login to create content