We've got an ACS 5.1 virtual appliance for device administration tasks and now we want to authenticate wireless domain users, but only by it's username/password, without trusting any CA certificates from the AD (is it required an ACS certificate too?).
Maybe there are some steps I have missed but I cant' locate where is the problem:
This is the configuration of the AP that I have but, is it correct?
aaa group server radius rad_eap
server a.b.c.d auth-port 1812 acct-port 1646
server a.b.c.d auth-port 1645 acct-port 1646
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default group rad_eap local
dot11 vlan-name WPA vlan 199
dot11 ssid LABREDES_CERT
authentication open eap eap_methods
authentication network-eap eap_methods
mbssid guest-mode dtim-period 75
encryption vlan 199 mode ciphers tkip
We have spent some days and nothing seems to work but nothing appears in the ACS log, there are no messages in the log, and a debug (radius, aaa authentication) in the AP only shows (AAA/BIND(0000014E): Bind i/f )
Regarding the certificate: you can use PEAP with MSCHAPv2, and leave the selfsigned certificate on the ACS (so you simply disable certificate validation on your clients), but I would definitely not recommend this.