View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0093 - ACS 5.4 Wired 802.1X PEAP EAP-TLS with Machine Authentication (Part 2)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
The video shows you how to configure wired 802.1X on Cisco ACS 5.4 using PEAP and EAP-TLS. We will perform both machine and user authentications, and enforce successful machine authentication using Machine Access Restriction (MAR). We will introduces MAR Cache distribution, which is a feature introduced in ACS 5.4. For authentication, we will attempt both using AD login credential (PEAP) and client-based certificate (EAP-TLS).
Part 2 of the video contains authentication testing on our Windows 7 test computer.
  • ACS Wired 802.1X with PEAP and EAP-TLS
  • Machine Access Restriction/Distribution
  • Certificate Authentication Profile
  • Identity store Sequences
  • Policy Element
    • Authorization Profile
  • Downloadable ACL
  • Service Selection Rule
  • Access Services
    • Authentication Policy
    • Authorization Policy
    • RADIUS Attributes
  • Windows 7 Wired 802.1X Network Settings

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


Good video like all oder one !!

Please i need to know how to implement dot1x on 2 switches (2x48ports) without certificate, but force users to authenticate through AD to have acces to the network ressouces so that no one can get an ip address or access to the network if he has'nt an account.
thanks for your help

What you want to accomplish is just a regular PEAP authentication with AD integration. Please refer to Part 1 of this video for configuration. 

Hi all ,

Please i need to no how can we switch user to it's Vlan based on his logon and password ?

I configured dot1x and i now need to switch alow all users t their vlan whatever the port they use.

thanks for your help

Under Authorization profile, there should be an option to configure returned VLAN. If not, you can always use RADIUS attributes below.

  • IETF 64 (Tunnel Type)—Set this to VLAN.
  • IETF 65 (Tunnel Medium Type)—Set this to 802
  • IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.

thanks it's work
But i dont know for witch reason i can't able to see my logs again, i can just see old logs how to itroubleshoot it ?

- the second issue i have is that when i log with account shell profile follow video SEC0086, SEC0087, SEC0088 it's work good but the probem is that i can use whitchever password i just have to type any one or any letter.

- the third issue it to know if i can use both radius and tacacs on same switch ?


1. Double check that logging service is running. Make sure log collector is pointing to local node. If all looksgood, try rebooting the server
2. That is strange. If the password does nto match fully, you should fail authentication. 
3. Yes. just configure the network device to support got TACACS and RADIUS.

I have followed this video and the other for MAB. However, whenever I connect my PC it is going to the wired-mab identity instead of the wired-machine and wired-user. Any thoughts on what I need to look at?

Do you have your switch configured to failover to MAB if dot1X fails? If so, check if your supplicant is configured for dot1X and see if you have any failed dot1X authentication. Verify that the switchport runs Dot1x with 'sh auth sess inter' command.

did anyone try to add Huawei Router as AAA client? does ACS 5.4 support that?

TACACS or RADIUS? As long as the router supports standard protocol or even require some VSA, you should be able to get it to work as ACS is very flexble on what to return after a successful authentication.

I am trying to configure it using TACACS to configure two groups of administrators with command authorization.

You might want to confim with the Huawei support and make sure it is supported. You can check out the video below on the configuration on the ACS side.