Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EAP-TLS with ACS 5.3, WLC 7.0, Windows 2003 AD and Certificate Services

Hi,

I receive the following error message when the identity source within the identity policy, underpinning the ACS access service I have configured for EAP-TLS, is set to active directory (AD1):

“22045 Identity policy result is configured for password based authentication methods but received certificate based authentication request”.

When I change the identity source to the certificate services profile that I created, then the WLAN client connection is successful. 

My interpretation of this, which could be completely wrong, is that ACS and WLAN client trust each other’s certificates, but EAP-TLS is incorrectly configured on the ACS server?

Any assistance would be greatly appreciated!

Thanks in Advance,
dnsMSS Support

5 REPLIES
Cisco Employee

EAP-TLS with ACS 5.3, WLC 7.0, Windows 2003 AD and Certificate S

This is as expected. Each rule in identity policy selects an identity source as its result.

for password based authentication it would be an indetity database (eg LDAP, AD, internal) or a sequence of databases

In the case of EAP-TLS there is no password based authenticatiion and so instead a certificate authentiction profile is selected as the result. This profile can define the following

- which field from the certificate is to be used to contain the username that will be utilized for the processing

- whether to do a binary lookup and comparison of the certificate in a selected AD or LDAP identity store

For any EAP-TLS authentication if there is no certificate based authenication enabled in the identity source result you will get the failure code you mentioned in your post

“22045 Identity policy result is configured for password based authentication methods but received certificate based authentication request”.

New Member

EAP-TLS with ACS 5.3, WLC 7.0, Windows 2003 AD and Certificate S

Hi,

When the identity source is set to the certificate services profile I have x509 PKI authentication, but I want EAP-TLS authentication.

Are you suggesting that I need to create an identity store sequence to achieve this containing both the AD server and the certificate services profile?

Thanks!

Cisco Employee

EAP-TLS with ACS 5.3, WLC 7.0, Windows 2003 AD and Certificate S

If you are doing EAP-TLS then what are you using AD for? What data do you want to retrieve from it and what do you want to do with it?

New Member

EAP-TLS with ACS 5.3, WLC 7.0, Windows 2003 AD and Certificate S

Hi,

I’d like to configure ACS to authenticate and authorise users and computer against AD, which is my authoritative directory service. More specifically, I’d like to setup ACS as described in section 8 of the Cisco ACS 5.3 user guide – from page 8-38 onwards.

With the identity source to certificate profile, I don’t believe ACS is checking the status of the user or computer account in AD? For example, if the user account is locked but the certificate is valid, the connection will still be allowed because the certificate is valid.

Thanks!

EAP-TLS with ACS 5.3, WLC 7.0, Windows 2003 AD and Certificate S

You can check the attribute of the user if you are able to retreive it first. Here is a link to the attribute and the different values. You can setup a condition under you access policy that can check the value if it locked then you can deny access.

http://support.microsoft.com/kb/305144

Thanks,

Tarik Admani

Tarik Admani *Please rate helpful posts*
2567
Views
0
Helpful
5
Replies