View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0095 - ACS 5.4 Wireless 802.1X PEAP EAP-TLS with Machine Authentication (Part 2)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
The video shows you how to configure wireless 802.1X on Cisco ACS 5.4 using PEAP and EAP-TLS. We will perform both machine and user authentications, and enforce successful machine authentication using Machine Access Restriction (MAR). We will introduces MAR Cache distribution, which is a feature introduced in ACS 5.4. For authentication, we will attempt both using AD login credential (PEAP) and client-based certificate (EAP-TLS).
Part 2 of the video contains authentication testing on our Windows 7 test computer.
  • ACS Wireless 802.1X with PEAP and EAP-TLS
  • Machine Access Restriction/Distribution
  • Certificate Authentication Profile
  • Identity store Sequences
  • Policy Element
    • Authorization Profile
    • Airespance Name ACL
  • Service Selection Rule
  • Access Services
    • Authentication Policy
    • Authorization Policy
    • RADIUS Attributes
  • WLC SSID Configuration
  • Windows 7 Wireless 802.1X Network Settings

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new technologies.


Can you explain the security advantage when deploying both PEAP-MSCHAPv2 and EAP_TLS with wireless?

PEAP is username/password based authentication and does not require client-side cert so ease of deployement is the main advantage and why it is one of the most popular protocols used in 802.1X. EAP-TLS on the other hand requires client-side cert which typically requires you to have proper PKI but it is considered the more secured protocol than PEAP.

I need the Windows 7 supplicant to authenticate with AD (MSCHAP) and the local onboard certificate (EAP-TLS). Not one or the other. How do I configure the Win7 supplicant to accomplish this?

If we are not mistaken, it is not possible to use MSCHAP (User/Password based) and EAP-TLS (Client cert-based) concurrently at least on Win7 suplicant. The closest you can get is probably EAP-TLS for machine auth and PEAP/MSCHAP for user auth and even that will require AnyConnect NAM.

I am trying to configure EAP- TLS with MAR and having issues of machine authentication getting failed . I have enabled binary comparison of certificates so that ACS will do the binary comparison of certificate receive from machine and retrieved from AD .User authentication works fine we are having issues with Machine authentication .

If you uncheck Binary comparison, does it work? What was the error message?

Is there a way to auth device based certificates with ACS. The requirement states the device serial number will be utilized and presented for authentication. Example of the device cert: Can this action be accomplished?

You should be able to create an authorization rule that matches cert attribute. Take a look under the condition and see if you can find it there.