12-29-2011 06:42 AM - edited 07-03-2021 09:18 PM
I need to authenticate my wireless network with Cisco Secure ACS 4.2 for the internet users (guest network), but I don't want to use a CA Certificate. Can I do that? How I have to do it? What authentication protocol I must use? Where can I find this configuration?
12-29-2011 07:43 AM
Do you have a WLC? What type of authentication are you trying to use?
You can do that, but that would mean you would need to put all the guest usernames and password into ACS. If you have a WLC, usually you would use that to host the splash page and the guest credentials.
12-29-2011 09:23 AM
Thanks for your answer. I was trying to use EAP-FAST. but I couldn't make it work.
I don’t have a WLC and I need to authenticate the wireless connection by the ACS software because the users will use only internet and I need to have a control for the time connection. I know that I have to create usernames and passwords, but I don’t have another choice.
Do you have a tips for this implementation? I need the authentication only.
Thanks
12-29-2011 09:33 AM
If you plan on using authentication for internal users, you might as well do 802.1x PEAP which only requires a cert on the ACS. You can then tie ACS to AD or just have local credentials in ACS.
Thanks,
Scott Fella
Sent from my iPhone
12-29-2011 09:50 AM
I'll use only local credentials, because the user that will use this wireless don't have the credentials in the AD. If I use PEAP and a CERT is necessary to install the cert in the laptops?
Thanks
12-29-2011 11:14 AM
PEAP only requires a certificate in ACS (Radius)
Sent from Cisco Technical Support iPhone App
12-29-2011 11:18 AM
Here is a good link for autonomous configuration.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/prod_configuration_examples_list.html
Sent from Cisco Technical Support iPhone App
01-02-2012 07:09 AM
I was checking the link and I am trying to load the certificate in the ACS, but when I try to connect my laptop to the network the wireless client ask me the certificate installed in the PC. What I have to do if I only need the authentication?
01-02-2012 07:13 AM
The only certificate required for PEAP is a server side certificate installed on the radius server. If you are trying to EAP-TLS, then you need the one on the radius server and in each client. I would first try to use PEAP and get that to work before you even try EAP-TLS.
Please check how you setup your client device.
Thanks,
Scott Fella
Sent from my iPhone
01-02-2012 07:18 AM
in the client config there is a check box to validate the server certificate. You can uncheck this box, as the client does not need to validate the cert.
HTH,
Steve
Sent from Cisco Technical Support iPad App
01-02-2012 07:17 AM
Have you successfully added a certificate in ACS? You can use a self signed certificate.
Verify the radius configuration.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/peap_tls.html
Sent from Cisco Technical Support iPhone App
01-02-2012 11:20 AM
The certificate was installed, but when I try to enable the PEAP configuration the Cisco ACS show me this error
"Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using "ACS Certification Authority Setup" page."
What I have to do? I tried to enable the certificate 4 times and the results is the same.
01-02-2012 11:33 AM
That means you don't have a valid certificate installed. You need to create a new self signed certificate and make sure it is enabled for EAP.
Thanks,
Scott Fella
Sent from my iPhone
01-02-2012 11:37 AM
Remove the other certificates and here is a link.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/SCAuth.html#wp327462
Thanks,
Scott Fella
Sent from my iPhone
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide