Thanks Dion, but this link is ACS 5.1. We don´t care about that as the LAB blueprint is ACS 4.2 :D
I take back what I said about the user having to be in ACS (windows database , not ACS internal database) I forgot to fail unknown attempts to external database (AD) and I deleted the internal ACS user and made ADU connection again which worked and the user was cached afterwards in ACS. I had problems in the past with EAP-TLS and CSSC client and I usually had to enter the outer identity username (same user that had the certificate) to the ACS before EAP-TLS worked. Now when I do another test with EAP-TLS and delete the ACS cached user. I still am authenticated properly. So it seems I can do without the static user entered in the ACS now. At least with ADU ! The funny thing this time the ACS does not cache the user when doing EAP-TLS as it did with EAP-FAST and inner EAP-TLS. regards. Kristjan -----Original Message----- From: Dion Rupert [mailto:[email protected]] Sent: 16. ágúst 2011 15:21 To: Kristján Ólafur Eðvarðsson; 'Jason Boyers'; [email protected] Subject: RE: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with Certificate (Yuri Mecca) Great... then this may help. https://supportforums.cisco.com/docs/DOC-15587 Dion -----Original Message----- From: Kristján Ólafur Eðvarðsson [mailto:[email protected]] Sent: Tuesday, August 16, 2011 10:16 AM To: Dion Rupert; 'Jason Boyers'; [email protected] Subject: RE: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with Certificate (Yuri Mecca) In my case the server is part of the domain and the ADU desktop aswell. regards. Kristjan -----Original Message----- From: Dion Rupert [mailto:[email protected]] Sent: 16. ágúst 2011 15:12 To: Kristján Ólafur Eðvarðsson; 'Jason Boyers'; [email protected] Subject: RE: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with Certificate (Yuri Mecca) Is the server part of the domain? -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kristján Ólafur Eðvarðsson Sent: Tuesday, August 16, 2011 9:28 AM To: Jason Boyers; [email protected] Subject: Re: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with Certificate (Yuri Mecca) Sorry I wasn´t clear. I use AD external database for authentication. However I have never made it work unless the user exists on ACS before I make the ADU connection. So I have the habit of just creating it (password does not matter as it isn´t used) If the ACS user isn´t there (not cached or never cached) I get "ACS user unknown" under failed attempts. The ADU client browsed to the AD CA /certsrv page to get its certificate and authenticated with its username on that webpage. -----Original Message----- From: Jason Boyers [mailto:[email protected]] Sent: 16. ágúst 2011 14:06 To: Kristján Ólafur Eðvarðsson; [email protected] Subject: RE: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with Certificate (Yuri Mecca) So, to confirm, you used the internal ACS database for authentication. Is that correct? If so, then there may be something going on with the match between the user certificate and AD, since Yuri is using AD for authentication. At least it narrows things down a bit! Jason Boyers - CCIE #26024 (Wireless) Technical Instructor - IPexpert, Inc. Mailto: [email protected] -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kristján Ólafur Eðvarðsson Sent: Tuesday, August 16, 2011 9:41 AM To: [email protected] Subject: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with Certificate (Yuri Mecca) Hey Yuri, I did a quick test. And I managed to make it work. I even tried to disable eap-chapv2 and eap-gtc as inner methods on ACS and only allow EAP-TLS as EAP-Fast inner method. I first enrolled the ACS with CA. got a cert for the client from the ADU pc. congigured the ADU with that EAP-FAST TLS certificate for client. The user has to exist in ACS aswell to my knowledge. And it seems to work for me on ADU. regards. Kristjan -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: 16. ágúst 2011 01:00 To: [email protected] Subject: CCIE_Wireless Digest, Vol 29, Issue 10 Send CCIE_Wireless mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of CCIE_Wireless digest..." Today's Topics: 1. EAP-FAST authenticating with Certificate (Yuri Mecca) ---------------------------------------------------------------------- Message: 1 Date: Mon, 15 Aug 2011 22:00:11 -0300 From: Yuri Mecca <[email protected]> To: <[email protected]> Subject: [OSL | CCIE_Wireless] EAP-FAST authenticating with Certificate Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" Hi Guys, I'm working with EAP Authentication and I had a problem to connect the laptop (Cisco ADU) with ACS 4.2 using EAP-FAST with inner method as TLS (Certificate). Its work fine with PEAP Inner TLS, EAP-TLS, and other EAP-FAST methods like MS-CHAP or GTC. In the ACS Reports I see this message: "EAP_TLS Type not configured" Follow attached my EAP-FAST config. Had anyone make this auth works? I'm using External Database. Thanks for the replies! :-) Yuri -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110815/328305f3/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: fast.JPG Type: image/jpeg Size: 102566 bytes Desc: not available URL: </archives/ccie_wireless/attachments/20110815/328305f3/attachment.jpe> ------------------------------ _______________________________________________ CCIE_Wireless mailing list [email protected] http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless End of CCIE_Wireless Digest, Vol 29, Issue 10 ********************************************* _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
