I am trying to get eap-tls working on my wireless network, with machine authentication. I have followed the numerous configuration guides on CCO but seem to be running around in circles. So can someone please give me a sanity check.
MS CA (Windows 2008 Server)
MS DC (Windows 2003 Server)
ACS 4.2 (Windows 2003 Server)
WLC 4402 (5.2)
Client MS XP SP3
I have confirmed that the certficates are valid on both the ACS and client.
The problem I have is, I see the client associate, but fails authentication. I look in the ACS failed log attempts, I see:
13/07/2009 11:19:17 Authen failed host/e26458.internal.company Default Group 00-12-F0-82-77-2D (Default) External user not found .. .. 1 10.10.10.100 .. .. 13 EAP-TLS .. TWLC01 CITY
I have configured ACS for Unkown User Policy and have the client e26458 in AD.
I would like some advice from some people who have successfuly implemented EAP-TLS, as I have hit a brick wall. I have attached the results of the debug aaa events enable,debug aaa detail enable,
debug dot1x events enable,debug dot1x states enable on the WLC.
I am unable to open the attachment, anyway let me tell you few things which you should conform while using certificates.
1. Both your client and server certificates should be from same authority
2. You should have the same username in which the certificate issued should be in your ACS database.
3. Conform the validity of both your CA and device certificate
Just to conform this is not an issue with your ACS server you can install the cert in your controller and try to authenticate the client using local auth.If this works then your certs are perfect and verify your ACS configurations
I've mapped groups to AD Security Groups for the external configuration. This allows me to divide my medical devices from typical user devices and smartphones ect all through a single ssid and pass different airespace attributes for dynamic interfaces and qos settings
Which magical guide did you use to get it working ? I am not getting that far.Im failing authentication, see op for log details.
I know my ACS is talking to my AD correctly because I configured PEAP, using our CA cert on ACS authenticating into our AD.
I just cannot get EAP-TLS working using machine authentication. The ACS is not trying to talk to AD even though the logs are showing External user not found. If it is failing due to certiface problem, surely the ACS would have a failed certificate message in the failed logs ?
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...