You are here
SEC0094 - ACS 5.4 Wireless 802.1X PEAP EAP-TLS with Machine Authentication (Part 1)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video shows you how to configure wireless 802.1X on Cisco ACS 5.4 using PEAP and EAP-TLS. We will perform both machine and user authentications, and enforce successful machine authentication using Machine Access Restriction (MAR). We will introduces MAR Cache distribution, which is a feature introduced in ACS 5.4. For authentication, we will attempt both using AD login credential (PEAP) and client-based certificate (EAP-TLS).
Part 1 of the video focuses on configuration on the ACS.
Topic:
- ACS Wireless 802.1X with PEAP and EAP-TLS
- Machine Access Restriction/Distribution
- Certificate Authentication Profile
- Identity store Sequences
-
Policy Element
- Authorization Profile
- Airespance Name ACL
- Service Selection Rule
-
Access Services
- Authentication Policy
- Authorization Policy
- RADIUS Attributes
- WLC SSID Configuration
- Windows 7 Wireless 802.1X Network Settings
8 comments
EAP Methods
In this video example are both EAP Methods be utilized to authenticate the supplicant simultaneously? Or is this two separate EAP configurations for the supplicant?
EAP Methods
Here we swith the EAP config on the client between PEAP and EAP-TLS and test one protocol at a time.
Authentication failed : 15039 Selected Authorization Profile is
I get this error message (Authentication failed : 15039 Selected Authorization Profile is DenyAccess) after attempting an EAP-TLS authentication. The test supplicant never uses the ACS configured access policy rule. Hit count never changes from "0". PEAP-MSCHAPv2 works fine. Any suggestions?
Authentication failed : 15039 Selected Authorization Profile is
What do you have for the policy conditions? Are you doing MAR? Try to relax it and see if you can get it to match. What version of ACS?
Authentication failed : 15039 Selected Authorization Profile is
Not doing MAR, ACS 5.4, Policy condition is Radius-IETF Framed and wireless 802.11.
Authentication failed : 15039 Selected Authorization Profile is
That is strange. The auth rule is generic enough to match both PEAP and EAP-TLS. If you make the rule match anything and permit, does that at least work?
Authentication failed : 15039 Selected Authorization Profile is
Seems like my ACS 5.4 had a DB issue. Reloaded and rule started working. Can you tell me if there is a way to configure a Windows 7 supplicant to do user and computer authentication? not user or computer.
Thx...
Authentication failed : 15039 Selected Authorization Profile is
Glad to hear that it is now working. You might want to take a config backup just in case. We have seen a bigger issue follows when an issue like this starts to happen.
'User or computer' will actually do both user and computer authentication. The way it is called is actually kinda misleading.