View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0094 - ACS 5.4 Wireless 802.1X PEAP EAP-TLS with Machine Authentication (Part 1)

Average: 4.5 (2 votes)
Difficulty Level: 
Lab Document: 
<Please login to see the content>

The video shows you how to configure wireless 802.1X on Cisco ACS 5.4 using PEAP and EAP-TLS. We will perform both machine and user authentications, and enforce successful machine authentication using Machine Access Restriction (MAR). We will introduces MAR Cache distribution, which is a feature introduced in ACS 5.4. For authentication, we will attempt both using AD login credential (PEAP) and client-based certificate (EAP-TLS).

Part 1 of the video focuses on configuration on the ACS.


  • ACS Wireless 802.1X with PEAP and EAP-TLS
  • Machine Access Restriction/Distribution
  • Certificate Authentication Profile
  • Identity store Sequences
  • Policy Element
    • Authorization Profile
    • Airespance Name ACL
  • Service Selection Rule
  • Access Services
    • Authentication Policy
    • Authorization Policy
    • RADIUS Attributes
  • WLC SSID Configuration
  • Windows 7 Wireless 802.1X Network Settings

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


In this video example are both EAP Methods be utilized to authenticate the supplicant simultaneously? Or is this two separate EAP configurations for the supplicant?

Here we swith the EAP config on the client between PEAP and EAP-TLS and test one protocol at a time.

I get this error message (Authentication failed : 15039 Selected Authorization Profile is DenyAccess) after attempting an EAP-TLS authentication. The test supplicant never uses the ACS configured access policy rule. Hit count never changes from "0". PEAP-MSCHAPv2 works fine. Any suggestions?

What do you have for the policy conditions? Are you doing MAR? Try to relax it and see if you can get it to match. What version of ACS?

Not doing MAR, ACS 5.4, Policy condition is Radius-IETF Framed and wireless 802.11.

That is strange. The auth rule is generic enough to match both PEAP and EAP-TLS. If you make the rule match anything and permit, does that at least work?

Seems like my ACS 5.4 had a DB issue. Reloaded and rule started working. Can you tell me if there is a way to configure a Windows 7 supplicant to do user and computer authentication? not user or computer.


Glad to hear that it is now working. You might want to take a config backup just in case. We have seen a bigger issue follows when an issue like this starts to happen.

'User or computer' will actually do both user and computer authentication. The way it is called is actually kinda misleading.