Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 5.1 EAP-TLS Issue


I recently installed ACS 5.1 + Cisco WLC 4402 and many LWAP1125 for our new EAP-TLS wireless security standard.

I'm trying to limit wireless access to specific security group in Active Directory.

According to ACS AAA Radius log, I can see ACS is sending correct username information to AD for reference but Active Directory doesn't recognize username within the security group.

Please see below for more details;

Evaluating Identity Policy
15006  Matched Default Rule
22037  Authentication Passed
22023  Proceed to attribute retrieval
24432  Looking up user in Active Directory - Wireless Tester
24412  User not found in Active Directory
22016  Identity sequence completed iterating the IDStores

My ACS configuration for Identity Store is to use certificate based authentication(Default CN Username) method against Active Direcotry.

Under Access Policies -> Service Selection Rule, I have one rule that permits the network access if Radius protocol is used and the user account is a member of specific security group.

I've been reviewing my configuration over and over but couldn't find any flaws. Is there a EAP-TLS deployment guide using ACS 5.1?

Thank you in advance for your help.

CreatePlease to create content