Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

EAP-TLS & Unknown User Policy

I setting up an WLC with the client using EAP-TLS (machine authentication only). We are using ACS 3.2 which is part of AD. The problem is that the ACS is being used to authorize users for Internet Access also.

So if I enable the Unknown User Policy to AD for EAP-TLS machine authentication, this will break what is being done for Internet Access.

Any ideas that don't include entering every machine and user name in the local database? I was wondering if I could setup a wildcard user of host/* that points to AD.

Is there a way to make this work without configuring the Unknown user policy to point to AD?

Thank you!


Re: EAP-TLS & Unknown User Policy

Log onto the ACS server itself as the local administrator.

Browse to the Bin directory in the ACS program directory.

Run the program there called CSSupport.

Select "Run Wizard" and click Next.

Check all the boxes and create the file for last 3 days and clickNext.

Again click Next.

Select "Set Diagnostic Log Verbosity to Maximum." and click Next.

Click Next, then click Finish.

In an environment where there is more than one global catalog server for the domain, ACS will not search for the secondary" catalog server if the "primary" goes down.

Condition: ACS is installed on a domain member server.

Workaround: Re-start csauth.exe.Let me know if restarting CSAuth makes any difference