Technology and Support - Cisco Community



ACS 5.x for Wireless Authentication – PEAP

Below you will find an example on how to configure the ACS using EAP to authenticate Wireless Users configured for PEAP MS-CHAPv2.

PEAP Configuration on ACS

1) As needed on ACS 4.x we need to install both the Root Certificate and an Identity Certificate for the ACS to handle PEAP Authentication requests from clients accessing the network. NOTE: The certificates generation process on the CA is omitted on this document. In order to install the ACS Root Certificate go to Users and Identity Stores > External Identity Stores > Certificate Authorities > Click on “Add” > Browse to the Root – CA Certificate File (Intermediate Certificates are also installed Here) > Click “Submit”:

[pic]

[pic]

2) Generate the ACS 5.x Certificate Signing Request: Under System Administration > Configuration > Local Server Certificates > Local Certificates > Click “Add” > Select Generate Certificate Signing Request > Click Next > Define the appropriate Certificate Subject:

[pic]

[pic]

a. Click “Finish” after defining the Certificate Subject and you will get a warning stating that the CSR has been saved on the Outstanding Signing Requests.

[pic]

3) Go to the Outstanding Singing Requests > Select the appropriate CSR and Export it to the computer:

[pic]

NOTE: The exported CSR would have a .pem file extension. We need to open the CSR with Notepad or any other text editor and copy the output that we will submit to the CA:

[pic]

4) Submit the CSR to the Certification Authority for it to sign the request and provide us with the appropriate ACS Certificate (ACS Identity Certificate). Now we need to install the ACS ID Certificate. Go to System Administration > Configuration > Local Server Certificates > Local Certificates > Click “Add” > Select Bind CA Signed Certificate > Click “Next” > Browse to the ID Certificate:

[pic]

a. Enable (if applicable) both EAP and GUI checkboxes for the new certificate to be used by the ACS to handle EAP authentications and use that same certificate for the HTTPS GUI Access:

[pic]

5) Click Finish and confirm that the certificate has been properly installed:

[pic]

6) Now that the ACS has both the ID and Root – CA Certificates installed we need to define against which Database will the ACS authenticate the users. NOTE: On this document the ACS had already been added to the Active Directory for External Users Authentication and we are using the Default Network Access (RADIUS) Access Policy. Go under Access Policies > Service Selection Rules > Default Network Access > Identity > Click on “Select” and check the AD1 database > Click “OK”:

[pic]

7) On this guide we are going to use a specific AD Group as the condition to allow access to the Wireless Network. As that is the scenario we need to add the available Groups from AD to the ACS (The Groups from AD that we want the ACS to use). Under Users and Identity Stores > External Identity Stores > Active Directory > Directory Groups Tab > We can manually add the Group by typing the group path or we can click on “Select” and look for the group on the displayed list:

a. Manually adding the group:

[pic]

b. Clicking on “Select” and browsing the list:

[pic]

8) Now that we have added the “Wireless Access” Group from AD into the ACS we can use that Group as an Authorization Condition. Under Access Policies > Service Selection Rules > Default Network Access > Authorization > Edit the Conditions with the “Customize” option and include the AD1: External Groups as an available condition:

[pic]

9) Define the appropriate condition making reference to the previously added AD Group and define the appropriate result which in this case would be Permit Access if we are an AD user and belong to the Wireless Access group on AD:

[pic]

[pic]

10) The rule should look as follows:

[pic]

11) We performed an Authentication Attempt with the Cisco Secure Services Client (Cisco Supplicant) and got a successful authentication that can be confirmed on the ACS Monitoring and Reports > Dashboard > Authentications - RADIUS – Today:

[pic]

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download