Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

eap-tls configuration assistance

I am trying to get eap-tls working on my wireless network, with machine authentication. I have followed the numerous configuration guides on CCO but seem to be running around in circles. So can someone please give me a sanity check.


MS CA (Windows 2008 Server)

MS DC (Windows 2003 Server)

ACS 4.2 (Windows 2003 Server)

WLC 4402 (5.2)


Client MS XP SP3

I have confirmed that the certficates are valid on both the ACS and client.

The problem I have is, I see the client associate, but fails authentication. I look in the ACS failed log attempts, I see:

13/07/2009 11:19:17 Authen failed host/ Default Group 00-12-F0-82-77-2D (Default) External user not found .. .. 1 .. .. 13 EAP-TLS .. TWLC01 CITY

I have configured ACS for Unkown User Policy and have the client e26458 in AD.

I would like some advice from some people who have successfuly implemented EAP-TLS, as I have hit a brick wall. I have attached the results of the debug aaa events enable,debug aaa detail enable,

debug dot1x events enable,debug dot1x states enable on the WLC.

frustratingly yours

New Member

Re: eap-tls configuration assistance

I am unable to open the attachment, anyway let me tell you few things which you should conform while using certificates.

1. Both your client and server certificates should be from same authority

2. You should have the same username in which the certificate issued should be in your ACS database.

3. Conform the validity of both your CA and device certificate

Just to conform this is not an issue with your ACS server you can install the cert in your controller and try to authenticate the client using local auth.If this works then your certs are perfect and verify your ACS configurations

New Member

Re: eap-tls configuration assistance

1. Both the client and servers certs are from the same CA and are valid.

2. I thought with eap-tls you configure ACS to use unknown user policy, referencing the external database which in my senario is AD.

New Member

Re: eap-tls configuration assistance

I've mapped groups to AD Security Groups for the external configuration. This allows me to divide my medical devices from typical user devices and smartphones ect all through a single ssid and pass different airespace attributes for dynamic interfaces and qos settings

New Member

Re: eap-tls configuration assistance

Which magical guide did you use to get it working ? I am not getting that far.Im failing authentication, see op for log details.

I know my ACS is talking to my AD correctly because I configured PEAP, using our CA cert on ACS authenticating into our AD.

I just cannot get EAP-TLS working using machine authentication. The ACS is not trying to talk to AD even though the logs are showing External user not found. If it is failing due to certiface problem, surely the ACS would have a failed certificate message in the failed logs ?


CreatePlease to create content