Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Aironet (LEAP) with ACS v3 and RSA ACE Server

I've been trying to test a configuration concept as follows. Setup Aironet APs and clients to use LEAP authentication via AAA in ACS for accounting and proxy the login to the RSA token server for the login via a single sign on for the clients. The problem I'm having is that I can't find any documentation on how and what I need to all have in place within ACS and the RSA ACE server. I'm guessing that I'll have to use the LEAP proxy RADIUS server configuration setup for external databases. So far however I have not been able to get any configurations to actually send a login to the ACE server. I had first tried to use the RSA SecurID token server setup as an external database but that doesn't work. I think that some information is being stripped and not making it to the ACE server once it gets to the ACS server as I get "Radius extension DLL rejected user" errors in my failed attempts logs. I'm not sure if anyone out there has this configuration working yet as the LEAP support with the Aironet and ACS is rather new and new to me.

Does anyone have any ideas?

Cisco Employee

Re: Aironet (LEAP) with ACS v3 and RSA ACE Server

Pls. refer

Table 1-2: Password Authentication Protocol and User Database Compatibility

The matrix explicitly states this is not supported.

Re: Aironet (LEAP) with ACS v3 and RSA ACE Server

I'm getting the same errors using external database settings for W2K. Have followed the docs at Cisco site and have set it up on a member server joined to the domain with all 5 ACS services logged on with a domain admin equivalent account. Don't seem to be getting any messages on the W2K DCs to show of any attempts at authentication and my guess is that the ACS is not forwarding the authentication to either of the DCs.

Cisco Employee

Re: Aironet (LEAP) with ACS v3 and RSA ACE Server

The member server (ACS) needs to start the CSRadius service and all other CSxxx services with a domain priviledged username, furthermore, in the "Local Security Setting" under the "User Rights" , there is an option of "Act as part of Operating System" which must also include the same said username which is starting the services. Once you do this, you should be ok and ACS will proxy authentication to w2k.



New Member

Re: Aironet (LEAP) with ACS v3 and RSA ACE Server

What OS are you running on your member server? If you're running win2k with sp2 then that's were your problem lies. There will be a few bugs created in the next few days that relate to these issues.

CreatePlease login to create content