Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ACS 4.0(1), SecurID and PEAP authentication

Hi Everyone,

I've been reading through about 100 posts in this forum regarding

PEAP and Cisco ACS and RSA SecurID and the more I read about it,

the more I get confused.

I am trying to setup a simple lab for proof of concept. I have

a Pix firewall with 3 interfaces, outside, inside and dmz. Here

are the information:




On the inside network, I have the following:

A windows 2003 Server, IP, running Cisco ACS 4.0(1),

Active Directory, Certificate Server, MS Exchange Server 2003, and

MS SQL Server 2005.

A Windows 2003 Server, IP, running RSA SecurID Server

version 6.1.

A Linux Redhat Enterprise Server 3.0, IP, running

Apache Server, DHCP server and mySQL. The DHCP server will serve

IP addresses to wireless XP clients. I configured the pix firewall

to relay dhcp and I can confirm that the dhcpd relay works.

on the dmz network, I have the following:

A Cisco Access Point (AP 1200), IP, serving wireless clients.

For lab purposes, I have the following rules on the firewalls:

access-list dmz permit ip any host host log

access-list dmz permit ip any any log

access-list inside permit ip any any log

access-group inside in interface inside

access-group dmz in interface dmz

nat (dmz) 1 0 0

global (outside) 1 interface

On the machine running Cisco ACS 4.0(1), I installed RSA Agents software so that

ACS 4.0(1) can communicate with the RSA SecurID Server. I test the connectivity

via RSA SecurID tool installed on the ACS server and it works. I configure

the ACS server to external database authentication via SecurID and I know that it

works because I configured the Pix firewall for AAA authentication and the ACS

proxy the connection the the RSA server and I have two-factor authentication.

Finally, I have a bunch of wireless windows XP clients with cisco wireless

cards and these windows XP have Cisco ACU installed on them. One other thing, these

windows XP wireless clients, when they are connected into the LAN, they are connected

into network so that their windows domain is "". Users,

when are connected via LAN, they are part of the domain "". When they

unplugged the laptop, they are disconnected from the network and they go outdoor

they start using wireless.


What I would like to do is to implement PEAP authentication for wireless XP clients.

In other words, before the XP wireless clients get IP addresses from the DHCP Server,

they must authenticate via two-factor authentication. The username/password will be

the one stored in the RSA SecurID server. Once they are authenticated, then a windows

domain logon will presented, then they can authenticate to the Active Directory Server

located on the "inside" network. After that, they can open microsoft outlook and

retrieve mails from the Exchange Server.

What I would like to achieve sound very simple but it is NOT. I think I have to do

the following:

1) Install the microsoft root certificate on the ACS server,

2) in the ACS external database, select SecurID as the option,

3) check EAP-GTC somewhere in the ACS system page,

4) setup the Access Point for EAP authentication,

5) setup the windows XP clients for PEAP authentication.

Some posts mentioned about PEAP machine-authentication and user-authentication. What

does that mean?

Does anyone have instructions step-by-step on how to setup PEAP authentication?

I think these are not hard but this is my first time doing this so it is quite

overwhelming, not to mention the fact that my day-to-day job is to work on Checkpoint,

Cisco Pix/VPNc and Juniper/netscreen firewalls. Therefore, wireless is totally new

to me.

I've attached a diagram of what I wanted to accomplish. Thanks in advance.


CCIE Security


Re: Cisco ACS 4.0(1), SecurID and PEAP authentication

There is a very good document which explains how to setup PEAP authentication.

This document explains with a configuration scenario which is very good. Try this.

CreatePlease to create content