Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

EAP-TLS error in ACS 5.2

Hi ,

I have configured radius for dot1x in an ACS 5.2. When I tried to connect a user to a dot1x enabled switch port, I get the following error in the radius.

Description

Identity  policy result is configured for password based authentication methods  but received certificate based authentication request

Resolution Steps

Check  the appropriate service in Access Service and its Identity source in  Access Services > Sysaccess > Identity >. This error happens  when the identity source is configured for password based authentication  and received a certificate based authentication request.

The switchport configuration is :

switchport access vlan 810

switchport mode access

authentication event fail action authorize vlan 132

authentication event no-response action authorize vlan 810

authentication port-control auto

dot1x pae authenticator

dot1x max-req 3

ip verify source port-security

end

Please help in correcting this in ACS 5.2

Regards,

Abhishek

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

EAP-TLS error in ACS 5.2

Ok ,

did you check the attribute that you want ACS to check in the incoming packet from client .

Most important , select the certificate profile as an identity store under access policies -- access service name - identity -- select .

BR ,

Tushar Gaba .

12 REPLIES
Cisco Employee

EAP-TLS error in ACS 5.2

Abhishek ,

Can you please illustrate what kind of authentication are you trying to achieve in dot1x .

Is it mschap(password based) or certificate based .

If it is password based then the configuration on ACS looks ok because the error says that ACS is configured for password based .Then we need to check the right EAP flavor on the client .

If it is certificate based then we need to create a certificate profile which will be called in identity ..

access policies == access service (name) == identity .

We first need to create the same under >>>>> user and identity stores == certificate authentication profile == specify what you want ACS to look in the certificate (example , cn ,subject) .

Look forward to hear from you .

Regards ,

Tushar Gaba .

New Member

EAP-TLS error in ACS 5.2

sers and Identity Stores > Identity Store Sequences > Edit: "CertBaseAuth"

General

Required Field

Name:

Description:

Authentication Method List
Certificate Based
Certificate Authentication Profile
Password Based                     
Additional Attribute Retrieval Search List
An optional set of additional identity stores from which attributes will be retrieved



Internal User/Host Advanced Option

= Required fields
Hi Tushar,
Thanks for ur reply.
Configuration has already been set for the certification based authentication. Kindly check the above screenshot.
Though I have changed the Certificate Autehntication Profile above to default profile, but I have checked it for another profile too.
The error is same.
Rgds,
Abhishek
Cisco Employee

EAP-TLS error in ACS 5.2

Ok ,

did you check the attribute that you want ACS to check in the incoming packet from client .

Most important , select the certificate profile as an identity store under access policies -- access service name - identity -- select .

BR ,

Tushar Gaba .

New Member

EAP-TLS error in ACS 5.2

Thats seem to be the issue as I am not able to select any option under identity. Whenever I try to change any setting overthere for eg. select 'rule base result selection' and then try to edit the default rule, the below error comes:

ACS: Resource not found or internal server error


ErrorCode: 500 has occured.      Click here to get back to the server

Also to let u know the ACS here is an evaluation version.

Can it be related to it.

Rgds,

Abhishek

Cisco Employee

EAP-TLS error in ACS 5.2

This is a known error .

Please log out of the ACS and log in back again .

Evaluated version should not be a problem .

Thanks ,

Tushar Gaba .

New Member

EAP-TLS error in ACS 5.2

When I click on the 'rule based result selection' below

and then try to create after clicking the checkbox beside the 'status'

The below popup appears:

What can be the issue?

Rgds,

Abhishek

New Member

EAP-TLS error in ACS 5.2

The issue was with the firefox...not able to check the setting in it, properly. Making the changes through IE. Will revert back with the status.

Rgds,

Abhishek

Cisco Employee

EAP-TLS error in ACS 5.2

ok ..

Cisco Employee

EAP-TLS error in ACS 5.2

Please don't forget to rate Tushar's feedback on this matter. Also, mark this thread resolved so that it may help other community members facing similar issues.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

EAP-TLS error in ACS 5.2

Thanks Tushar! Its working flawlessly now. Able to authenticate user on certificate base.

Lesson learnt: Always use IE for Cisco ACS GUI.

Regards,

Abhishek

Cisco Employee

Re: EAP-TLS error in ACS 5.2

Most Welcome .

IE and Mozilla are the only documents browsers which support ACS .

The trick is the version of IE and MOZILLA .You can find the supported browsers and their versions in the release notes .

I hope it was helpful .Please rate if the issue stands resolved so that if any new person sees he/she can take it as a valuable solution .

Best regards ,

Tushar Gaba .

New Member

EAP-TLS error in ACS 5.2

Hi Tushar,

Can you please also let me know how to resolve issue of dot1x connectivity, when a user who has connected his laptop to a dot1x enabled port and the laptop is yet to boot.

Rgds,

Abhishek

434
Views
1
Helpful
12
Replies