Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

802.1x - ACS authentication issue.....

I will attempt to explain the history of our wireless controller configurations as best I can.  We are currently using a 4400 controller running 7.x software which authenticates to and ACS 4.1 appliance.  All of this was set up prior to my arrival on the job and the previous engineers had already left with no documentation in place so I'm trying to piece it together.  The ACS is setup to map to AD for specific groups. 

  In the controller we have an SSID called triton which is our corporate SSID that all internal users connect to.  Three different interfaces have been defined, a general one for most users and two others( lets call them INT1 and INT2) that place users on separate ip networks.  The reason for this is those ip networks can reach certain services that are not allowed for general users.  ACS maps those users upon authentication to the Vlans associated with those separate ip networks.

Problem 1.  When I first took this job, users could not map drives or any services because only user authentication was taking place..After some troubleshooting and realization that ACS was authenticating, placing the "Domain Computers" group as an ACS group mapping fixed that issue, allowing the computers to authenticate prior and therefore execute the login script

Problem 2.  Recently it has come to my attention that some of the users on one of the other interfaces (INT1 and INT2) that should be placed in the vlans associated with their AD group mapping are not.  Upon further investigation it was discovered that the reason they are not is that the authentication is not correct.  When the computer first authenticates before the user logs on its shows in ACS as host/ where the user authentication shows as xxxxx/username .  So some of the computers never change from authenticating as a host to a user and the ip address ends up in the wrong vlan.

Please help.  I'm not extremely familiar with Cisco 802.1x setup and the documentation is poor at best.


Re: 802.1x - ACS authentication issue.....


Please elaborate more about the problem. I got the history.

Both formats you mentioned ( domain\username and are both valid fromAD perspective.

If you have the "host" word in the username that means this is machine auth and the machine needs to be member of the domain for auth to secceed.

Elaborate please more about the problem and topology.

How many ACS servers you have? You use only machine auth or machine and user auth? What fails? User or machine auth.

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
New Member

Re: 802.1x - ACS authentication issue.....

Ok, maybe I should be asking what the proper way to set up both machine authentication and user authentication through the 4400 and ACS 4.1 is then.

  The topology that I know of is this.  Single 4.1 ACS appliance and single 4400 controller with approximately 35 LWAPP's.  In the past ONLY user authentication was being used which presented problems with Group Policies and login scripts executing.  Adding the AD "Domain Computers" group as an ACS mapped group solved that problem by allowing the domain computers to authenticate and gain access to the network prior to logon (but maybe they were still actually using "user authentication"?).  Not sure if this was the proper way to solve the issue but it worked and we at the time didn't notice any side effects.  Although now we are seeing users end up in the wrong VLans and when we look at the logs in the controller the computer they are on is only registering as host/ (machine authentication) which drops them into the default vlan instead of the vlan which they should be based upon AD group membership from ACS.

  I am very familiar with other wireless products and controllers such as Aruba.  In the Aruba, when the machine first booted up and gained access to the network it was using machine authentication, but as soon as the user logged on the supplicant would push the user credentials and change the method to user authentication.  In the Aruba we used the windows supplicant.  I'd like to do the same with Cisco. 

  As far as I can tell, there is only a server side (ACS) certificate from Thwate that is used to authenticate.

CreatePlease login to create content