LDAP, PEAP, Cisco ACS and BYOD

BYOD, LDAP and PEAP is a nice combo. Trying to implement this was a little bit tricky. Here are some hints:
1. If you use an LDAP like OpenLDAP oder Lotus Notes LDAP, then you must use PEAP-GTC as authentication protocol. MSChap won’t work!
2. With an Apple iOS you cannot configure which phase2 authentication method you want to use. So, if you enable MSChap AND GTC on your ACS, then the iOS Device will use MSChap. This will result in an authentication reject. Disable MSChap authentication protocol on the Cisco ACS to get these devices working because then the iOS Device uses GTC.
3. Windows 7 has no native GTC support. If you want to authenticate against an OpenLDAP account database, you must install a 3rd party supplicant. If you have an Intel Wireless Card in your Laptop, you can use the Wireless Utilities downloadable on the Intel Website. After installing these Utilities, you can use GTC as an authentication method.
4. If you get a lot „EAP timeout“ errors in your ACS Logfile, try to change the EAP Timeout Value in the Wireless Settings (i.e. on the WLAN Controller) from 2sec (Default) to 10sec.

Cisco Secure ACS % Repository not found

If you are wondering about an error message like „Repository not found“ while trying to patch a Cisco Secure ACS System, just check if the replication status of the ACS Instance is in „updated“ and not in „pending“ or „unknown“. You can only apply a patch if the instance is in „updated“ state.

acs-1/admin# show repository FTP
% Repository not found

Cisco ACS