Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WLC domain user authentication

Hi Guru's

Im having a problem in configuring my WLC domain users. I have ACS v3.3 and WLC 4112.

I followed this instruction but still i keep on authenticating whenever i tried to connect my Laptop to certain SSID. And also, the windows login prompt me only once. Please help me

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml#manual

thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: WLC domain user authentication

What said "Machine Authentication is not permited"?

Make sure that ACS has it enabled:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

19 REPLIES

Re: WLC domain user authentication

Emmanuel,

What kind of 802.1x authentication are you trying, LEAP, PEAP, EAP-FAST ???? Theses are all depnedant on specific factors in the WLC, ACS & remote device?

New Member

Re: WLC domain user authentication

Hi Andrew,

Thanks for the response,

Im currently using PEAP. im able to connect but it keep saying "attempting to authenticate"

I dont know what is the point of failure here. Appreciate your help

Thanks,

Jong

Re: WLC domain user authentication

What is the error message if any in the ACS logs?

New Member

Re: WLC domain user authentication

it says, user access filtered

New Member

Re: WLC domain user authentication

Here's also the log's on my WLC

Its saying "00:0e:35:c0:78:d3 /user 'unknown'" but my login works fine in other device AAA client using external DB also.

Log System Time Trap

0 Wed May 14 23:47:03 2008 RADIUS server 202.162.160.253:1812 failed to respond to request (ID 138) for client 00:0e:35:c0:78:d3 / user 'unknown'

Thanks,

Jong

New Member

Re: WLC domain user authentication

Do i need to enable the IPsec?

Hall of Fame Super Silver

Re: WLC domain user authentication

Verify the shared secret key between the ACS and the WLC.

-Scott
*** Please rate helpful posts ***

Re: WLC domain user authentication

Have you configured the ACS server to accept authentication requests from the WLC?

New Member

Re: WLC domain user authentication

yes i have configured my ACS server to authenticate the user's request via AD.

Sometimes the ACS said that my login is authenticated but sometimes failed. And it takes a long time (10-15 min) to reauthenticate again. And WLC saying "Radius not responding. But sometimes its good.

New Member

Re: WLC domain user authentication

Have you configured the ACS server to use PEAP? Do you have a certificate on the ACS server (not the self signed cert, but one from a CA?)

New Member

Re: WLC domain user authentication

yes i have configured PEAP and LEAP on my ACS. Our systems admin configured a certicate and that's what im using on my ACS. But when im get connected, its suddenly disconnected. Im using 8

New Member

Re: WLC domain user authentication

Get your config working with LEAP first. Since LEAP doesn't require Certs it eliminates any cert issues. Test with local accounts on the ACS as that removes any issue between the ACS and AD. Also make sure you have the appropriate drivers on the clients.

New Member

Re: WLC domain user authentication

run a debug on the controller. debug client and then debug aaa events enable. this should lead you in the direction to see what and where it is failing.

New Member

Re: WLC domain user authentication

I think my authentication is now been resolved. But i still have a problem, whenever the user logout on the workstation the session will disconnect to the network. Is there a way to make the connection still connected?

Thanks

Jong

New Member

Re: WLC domain user authentication

Yes, if you are using the Microsoft Zero Config client you need to select the option to authenticate as a computer as available. You should see in your logs either a pass or fail as "host\computername".

If you are using another client (Intel, Cisco, etc), you may or may not be able to make this work. I know on the Intel you can make a persistent connection.

New Member

Re: WLC domain user authentication

Hi,

I tried and it said "Machinea authentication is not permitted". What action should i need to do next?

Thanks,

Jong

New Member

Re: WLC domain user authentication

What said "Machine Authentication is not permited"?

Make sure that ACS has it enabled:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

New Member

Re: WLC domain user authentication

Yes, I thinks this will work. I'll let you know once I implemented the config.

Good document!

Thanks,

Jong

New Member

Re: WLC domain user authentication

Thanks so much for helping me.

Regards,

Jong

651
Views
9
Helpful
19
Replies