Cisco AAA/Identity/Nac :: 5508 ISE Integration With PEAP (Server Side Cert)
Oct 20, 2012
We are currently evaluating ISE and I am stuck with the PEAP authentication (with Server side Cert).Our current setup consists of two 5508 controllers, 30+ access point. For authentication we are using PEAP with (server side Cert). We have an IAS server which is also acting as a CA server. We are using Cisco’s NAM as a supplicant on Windows XP & 7 workstations. I would like to use ISE for authentication. I would like to use PEAP with Server side Cert (similar setup like IAS). I want ISE to perform the same function in addition to profiling etc.....
I was able to integrate ISE with Active Directory but could not get it working with PEAP (server side Cert). I would also like to know if they used Microsoft’s CA server or Open SSL CA server or a third party CA server (Go Daddy, VeriSign etc.)Can you we ISE as a CA server just the way we used Microsoft’s IAS Server as a CA Server?
View 8 Replies
ADVERTISEMENT
Feb 9, 2013
I'm in the process of setting up PEAP with ACS 5. From understanding the certificate that I generate is a server side certificate used between ACS and CA authority. However, according to the Cisco document that I'm using it sounds like I still have to install a certificate on the wireless clients that validate the server certificate. Is there a process to push this cert out via AD or do I need to manually install it and if I wanted can I get away with out checking the validate the server certificate on the wireless client?
View 4 Replies
View Related
Mar 29, 2006
We currently are using a self-signed cert (for PEAP machine authentication) that was created on an ACS 3.3 appliance. That cert was manually installed on our laptops when they were configured for wireless conenctivity.My problem is, that self-signed cert will soon be expiring and I am not sure what needs to be done to issue a new cert AND deploy it to my Windows XP Pro clients without a service interruption. If possible, I'd like to leverage our exsiting AD infrastructure for this, but I need some direction, and time is of the essence!!
View 2 Replies
View Related
May 24, 2011
I have just recently purchased a 5505 Controller and 30 3502i AP's. On my main corporate WLAN, I would like to allow users to be able to authenticate via Active Directory username and password.I am also looking for as little client side set up as possible. From what I have researched, I will need to use some type of EAP method.
I have come across two methods that appear to be the top contenders.
EAP-FAST - The method seems to be a possibility but I see that it uses certificates. If I use this method, does it mean that I would have to import the certificates to each machine manually? Also, can I configure thsi to work with just the 5508 Controller and an AD Database server or do I need an intermediary like IAS or ACS?
PEAP/GTC - This method is also a possibility and I think that it does not require certificates. Does this also require an intermediary like ACS or IAS.
View 3 Replies
View Related
Mar 8, 2011
I'm currently working on ACS 5.1 to use it as AAA server for Netscout NGenius.I followed a guide for ACS 4.2 and tried to replicate the configuration settings in ACS 5.1.
- created a host profile on network devices and AAA clients having the same shared key with NGenius
- added three (3) NGenius required attributes in system administration > configuration > identity > internal users
- added attribute values to Internal User database
- created an access policy:
* identity pointing to Internal Users
- edit serverprivate.properties in NGenius server to match the requirements
I would like to have NGenius authenticate via ACS 5.1, but as of the moment there is an error message that I receive:
Unicentified error, Code=16510, Details: AV pairs do not match NGenius format ::<insert tacacs username here>, Severity 1, Code: 16510.
View 2 Replies
View Related
Mar 13, 2013
i configured cisco asa 5520 as cisco ezvpn server and cisco 891 as ezvpn client .the configurtion is working fine.i am using client mode on the ezvpn client side.but my quesion is , is it possible to communicate to ezvpn client side internal ip from the ezvpn server side?and one more thing what is the benefit of network extension mode on the client side and how it will work what are possible changes need to do in the server and the client side.
View 4 Replies
View Related
Sep 25, 2011
I am trying to setup PEAP authentication for wireless users but I got stuck at place where I have single ssid and users are store in different identity stores like some will be using their active directory and some are locally created users on ACS. I created separate service for wireless authentication and under that I am unable to create rule to differentiate them with identity stores. any idea how to achieve this.
I tried creating identity selection based on role but it does not work as for protocol like radius.peap,ms-chap ACS does not look for another identity store once user not find in an identity stores.
View 1 Replies
View Related
Sep 24, 2012
I have a cisco 5508 WLC that I have setup WebAuth on and trying to install the certificate on. I have generated the csr and gotten my cert from Verisign (X.509, server platform=apache). I have followed the instruction via the cisco documentation url...I found an error in uploading and find out how to encrypt mykey: url...
I am also having exactly the same issue with a certificate from Thawte. I followed the unchained guide and have tried both with and without a password in the initial step key generation step, requesting a new cert each time. As with Jeensernchew's issue there are no errors in OpenSSL but when uploading the cert to the WLC get the following error. [code] The WLC is running version 6.0.196.0. I am using OpenSSL 1.0.0 29 Mar 2010.
When I requested the cert from Thawte I was asked to specify the device type, I chose Cisco, but as all the work and conversion is being done by OpenSSL, should I have chosen differently? When I do this I can load the cert in the 5508, but the controller fails and doesn't allow that VLAN or config access to the wireless network. I am at a loss of why I can load and it not work. I have verified my hostname and password and those are good.
View 1 Replies
View Related
Apr 22, 2012
So since my web auth cert is expiring I got it renewed from VeriSign and they sent me back the file. Do I need to again combine the "myprivatekey.pem" file and the new one that I got and then load it on the WLC? Can't find any guidelines and instructions from Cisco on this. Or do I need to go through the whole regenration of CSR process again etc?
View 3 Replies
View Related
Oct 9, 2012
I'm running version 7.2.111.3 on my WLC 5508 and I try to figure out how I can set PEAP towards my configurerd Radius servers. On my Local EAP profile I can specify PEAP, but how is it default configurerd when you just specify the radius servers on the "WLANs > Edit Test > security > AAA servers tab ?
The MS radius logs tell me that it is EAP and not PEAP, so the questions is does the WLC support Microsoft: Protected EAP ???
Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 AAA EAP Packet created request = 0x1bd4647c.. !!!! -> should be AAA PEAP ?
*Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 Sending EAP Attribute (code=2, length=35, id=2) for mobile 24:77:03:07:75:28*Dot1x_NW_MsgTask_0: Oct 10 11:02:27.280: 24:77:03:07:75:28 [BE-req] Radius EAP/Local WLAN 3.
View 6 Replies
View Related
Nov 3, 2012
We are trying to integrate Cisco WLC 5508 and Microsoft NPS 2008 to allow users to use their AD username and password to authenticate to the wireless network.I basically followed the following document but with no luck (Appendix B): URL I'v went through some threads in this forum but also with no luck,Basically, we are recieving the follwoing error in NPS event viewer:A RADIUS message was received from RADIUS client a.a.a.a with an invalid authenticator. This is typically caused by mismatched shared secrets. Verify the configuration of the shared secret for the RADIUS client in the Network Policy Server snap-in and the configuration of the network access server.
View 2 Replies
View Related
May 18, 2011
getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication. I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user" along with the pertinent auth request info that I would expect the NPS server to receive from the WLC. Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
View 2 Replies
View Related
Nov 30, 2011
I have ACS4 and i am planning to upgrade to ACS5.I would like to have such a rules:I have user1, one ASA device which is VPN concentrator for remote users.ASA have two different tunnel-groups: one which allow for logging via certificate (with mandatory pki authorization thru ACS) with disabled Xauth,and second tunnel-group with allow login thru typical Xauth with authorization thru ACS which users external database (RSA Tokens).So i have one user1 which can login thru VPN using RSA tokencode or certificate.For example: on phone user1 uses certificate, and on PC station the same user1 uses token password.For tunnel-group with pki authorization ASA checks username in ACS and in typical scenario login="CN from certificate" and password="CN from certificate". So we would need "two credentials" for the user - one for pki authorization, and second one external database (RSA token).Is such scenatio possible under ACS 5 ? where one user uses different credentials based on tunnel-group usage ?
View 2 Replies
View Related
Jan 21, 2013
I've seen a bunch of discussions on the untrusted server cert error with self signed certs. But I have a valid wildcard that I use on my ASA. How do I make that work with out the untrusted server cert error?
View 5 Replies
View Related
Apr 23, 2013
how the certificates work when using PEAP on ACS 5.2.Currently we have clients which are Cisco wireless IP phones that are using the ACS server(s) for authentication to the wireless network. The phones are configured to use PEAP with server validation enabled. The phones have a Godaddy root certificate, and Godaddy intermediate certificates installed on them, (in addition they have all the certs that are on the phone by default). On the ACS server there is a certificate that is signed by Godaddy. This was creating doing the CSR process etc...
So from what I understand, because all the phones are set up to validate the server certificate, they require the public root certs and the intermediate certs that are installed on them, in order to validate the private cert that is on the ACS server. The private certificate (the one signed and issued by Godaddy), expires the middle of next year (2014) (a little ways off I know, but it is never too early be concerned about stuff). When we go to get a new private certificate for the ACS servers (or get a renewal) and when we install this new signed certificate onto the ACS servers…will all the clients still trust this new certificate, and everything will continue to work smoothly? Or will the clients all need to have new root certs installed, and new intermediate certificates installed? From what I can gather I think the first scenario should be the case, because the root certs and intermediate certs are there to trust certs that are signed by Godaddy, so as long as the new private certificate is signed by Godaddy everything should be okay.
View 8 Replies
View Related
Apr 3, 2012
I have been trying to figure out for days now how to get Windows XP/Windows 7 and Apple iPads to connect to a broadcasted SSID and authenticate with PEAP without getting prompted to verify a certificate that exists on ACS.
In Windows 7, I get a window that says the connection attempt could not be completed and get a warning that the certificate could not be validated. If I manually configure a wireless connection and specify PEAP to accept my trusted root certificate authority (in the default list), it doesn't prompt but having users do this is not acceptable and more work than to just verify when prompted. I have no control over the devices connecting so I can't push anything down using GPOs.
For the iPad, I get a similar message that the certificate authority can't be verified and you have to accept.
For the certs, I have tried GoDaddy and Starfield. How to get this working without getting prompted to verify/validate a certificate authority? If so, what cert are you using? I have the intermediate certs installed in ACS and Windows and iPads see them because as soon as I delete, the screen that pops up changes to my actual cert.
View 5 Replies
View Related
Sep 11, 2011
Any good guide for configuring PEAP with Machine Authentication to allow for domain login?This is a clean install on a new 5.2 install.We are moving from 4.X to 5.2 and i want to make sure i dont miss anything.
View 3 Replies
View Related
Dec 14, 2012
We have implemented VSS on Cisco 6504-E switches using the 10GE links on the Sup-720-10GE. Two Cisco WLC 5508 controllers are planned to be connected in a LAG configuration, (consisting of eight links per LAG bundle) to each of the 6504-E chassis( Total of four WLC, two for the primary location and two for secondary location). WLC HA feature may be implemented on the primary and secondary WLC controllers using the 7.3 latest code release.
In this scenario, i would like to seek clarification on some of the design /configuration requirements on the 6504E switches:
1. VLAN 100 - 200 is configured for the Active Primary 6504-E switch and VLAN 200-300 for the Standby 6504-E switch. The IP scopes for the VLAN are defined in the 172.16.x.x range on the Primary and 172.17.x.x on the secondary. As there no cross links(Multichassis LAG) from the WLC controllers to the 6504-E switches, is it better off implementing a single common VLAN range on a single subnet block for the VSS, which in the event of say Primary switch failure, the Wireless APs do not have to re-associate with a different IP range on the secondary? What is the best design practise in this case?
2. What is the best practise for implementing a single management loopback address for the VSS domain- is this implemented using a port channel (Layer 3 MEC) as below? and is the loopback IP address on a totally different IP range reference to point 1 above?
Can the VLAN IP ranges on the 6504-E VSS be assigned in two different subnets say 172.16/12(100-200) and 17.17/12(300-400) and the common loopback (lo0) in 172.18.x.x/32 or is it better to have one common 172.16/12 subnet spanning the entire VLAN range (100-400). Cisco documentation describes creating port channels from the line card card physical ports as opposed to just creating lo0 and advertising this into the IGP.
int g1/x/1
desc VSS Management
channel-group mode 101 active
int gi2/x/1
channel-group mode 101 active
int po101
desc VSS Management
ip ad 172.18.x.x/32
View 2 Replies
View Related
Aug 19, 2012
Cisco 5508 wireless controllerCisco ACS 5.1LDAP connection I have setup the wireless controller to do RADUIS authentication with the ACS 5.1 using LDAP. The setup is currently working, Brief info below on setup.
I setup the PC client to use WPA2-Enterprise AES and authentication method CISCO PEAP. When I connect to the SSID this will prompt for a username and password. I will enter in my AD details and the ACS with the LDAP connection will authenicate and on the network I go.
Now I want to add machine authentication with CERTIFICATES, each laptop and pc in our network has CA certificates installed.
way that I can add these certificates into the ACS 5.1 so I pretty much want to import them into the ACS. Once they are imported inside I want the ACS to check that the certificates are on the PC and then prompt for the AD username and password, and only once it meets these two conditions it allows the workstation onto the network.So it will be a two form authentication one with certificates and the other ldap.
View 18 Replies
View Related
Apr 29, 2011
I installed NGS 2.0.2 for wireless guest user management and authentication. I implement webauth via webauth page on wlc deployed.One Branch with a WLC5508 version 7.0 wireless anchor controller is working on the NGS.But now I integrate next branch with WLC4402 version 6.0.188 and the authentication of users at the new branch gets an error, wrong user/password.
I double checked configuration and user/password but I can't find any configuration error. Also stopping and starting of radius service and reboot of NGS still does not work. I tried to debug the radius via web interface and watched for the loggfile and there is still a reject.I also tried the freeradius command radiusd -X but I got an error when starting the radiusd -X.
1.) How can I figure out, if I will get the correct password from my WLC ? Are there any debug options to see more ? e.g. some cli commands, radiustest utilities or how to get the received password from the chap challenge of the debug ?
2.) I have appended a part from my radius loggfile. How can I find the detailed error in the radius log file? Is it correct that the password in the debug file is empty ? raiuds logg line "[radius-user-auth] expand: %{User-Password} -> "
View 3 Replies
View Related
Mar 14, 2011
first i configure the ACS to Synchronize time from AD as NTP server second when i configure the integration between the ACS and AD and test the connection there is no output from this test but i see that the domain is connected and the end of the page the problem is when i try to navigate the groups by go to directory group and use select there is no output.
View 3 Replies
View Related
Apr 15, 2013
Is it possible to integrate a WLC with a NAC 4.9(1) L3 OOB? I can't find any documentation that says that it is possible or not.
View 9 Replies
View Related
Dec 24, 2012
I have Integrated the ACS 5.3 with AD.Now my next goal is to Integrate ACS with RSA in such a way that all my Cisco devices should use the username and password from the AD.The enable privilege level should come from the RSA Token OTP.Is it possible to do such a thing with ACS 5.3?
View 3 Replies
View Related
Nov 20, 2011
We have a customer who wants to configure his guest wireless network in such way that the guest should fill in a self registration form and generate the username and password themselves. For this purpose we are using cisco ISE but we don't know how to integrate it with cisco WLC.
View 1 Replies
View Related
Jun 24, 2012
We have an ACS running 4.2. I am sure that this ACS is talking to our AD database because our wireless users (using ACS as RADIUS servers) are able to log in using their Windows AD account.
However, I am not sure how ACS is integrated with AD. Our ACS is installed on a windows 2003 R2 server. I am not sure where the AD database is? ie,if AD is on the same server as ACS OR on a different server [ADs managed by different group altogether :-( ].
How is the integration done between ACS and AD when both are on the same windows server? And How is the integration done between ACS and AD when they are on different windows servers?
ACS is software installed on windows 2003 R2 server.
View 2 Replies
View Related
Dec 14, 2012
We have implemented VSS on Cisco 6504-E switches using the 10GE links on the Sup-720-10GE. Two Cisco WLC 5508 controllers are planned to be connected in a LAG configuration, (consisting of eight links per LAG bundle) to each of the 6504-E chassis( Total of four WLC, two for primary and two for secondary). WLC HA feature may be implemented on the primary and secondary WLC controllers using the 7.3 latest code release.
View 9 Replies
View Related
May 18, 2011
I am deploying Redundant WLC 5508 with 4 VLANs and 4 SSIDs Match to it, Everything works Fine, now i need to do the below:
1. I need All Wireless Users need to authenticated with Existing Active Directory/LDAP
2. I will Create Guest Accounts in my AD , and pass to Guests, Then Guest should only Access Internet except Corporate Resources
2. How can i secure my Voice VLAN for Wireless Phones. I want only WIreless Phones to Connect to Voice VLAN.No internet Access on Voice VLan
View 4 Replies
View Related
Feb 25, 2010
I have a Cisco WLC talking to a ACS 4400 version 5.1 which in turn talks to Active Directory.Ive been trying to get 802.1x for wireless clients going, I have a cert on the ACS from verisign on the box but when users try to sign in they get 12309 PEAP handshake failed in the ACS RADIUS log.The cert was exported and placed directly on the testing laptop and at one point it all worked. I stepped away from it for 2 weeks to get a new internal CA built on a windows box, now coming back to it with the intent of issuing new certs to the ACS from the internal CA and thought I would check it to make sure all was good, but its not.Google doesn’t return happy results for “12309 PEAP handshake failed”, I opened a TAC case on it and they took my cert to their lab. Haven’t heard back.
View 6 Replies
View Related
Jul 13, 2011
I have configured my WLC 4402 for Radius authentication using Cisco ACS server version 4.2 Patch 4. When using Local Database of ACS my Wireless Users are able to authenticate but users are not able to authenticate from External Database of Windows AD 2008 R1.
In ACS logs I am getting the this error- Authentication session timed out. Challenge not provided by client.
View 3 Replies
View Related
Jan 29, 2013
We've an issue with authorization on NCS system. NCS successfully integrated witch ACS, but there is a problem with one user. All users have equivalent rights under root. There is shell profile with all possible tasks (exported from NCS server) configured on ACS. All users exept this one (unlucky one:)) authorizes successfully. In ACS logs, authentification and authorization status for this user is passed and all attributes (policy, profile, AV-pairs e.t.c.) is the same as for another users. This 'unlucky' user gets a following message: There is surely no browser or network issue. Tried from different PCs with same result. There is no any local info related to this username on the NCS server. When i change one charecter in the username on his ACS account, everything works well.
Our ACS v
Version 5.1.0.44.X
And NCS
Version : 1.1.2.X
View 1 Replies
View Related
May 15, 2011
integrated the Cisco ACS 1121 with 5.1 and AD and been able to use multiple policies to permit or deny access to different NDG? I am able to authenticate agains AD but I am having an issue with getting the policies to use the user memberOf attribute to set access levels.
View 1 Replies
View Related
Jun 22, 2011
provide me Step by Step procedure for integrating LDAP with ACS 5.2 .
View 1 Replies
View Related
Oct 31, 2010
I replaced an ACS certificate that had been installed as follows:
1. Generate CSR file and private key file, then send CSR to GeoTrust (Key length: 2048 and Digest to sign with SHA1)
2. GeoTrust send me a certificate. Issued by "GeoTrust SSL CA".
3. Install the certificate on the ACS. Restart ACS service.
4. ACS Certification authority setup. Issued by "VeriSign Class 2 Public Primary Certification Authority - G3"
5. Edit certificate trust list and select "VeriSign Class 2 Public Primary Certification Authority - G3" as trusted.
6. Enable EAP-TLS, then restarted the ACS service. The problem is when i try to enable EAP i get the error msg:Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using "ACS Certification Authority Setup" page.I searched on cisco and it said to disable the CSA, but in fact there is no CSA installed on this server.
OS: Win 2003 sp2Cisco ACS: Release 4.2(0) Build 124
View 4 Replies
View Related
