ACS SE 4.2, 802.1x and certificates for machine authentication

Unanswered Question
Apr 26th, 2010
User Badges:
  • Bronze, 100 points or more

I'm trying to figure out how to put this lot together, but dont know enough about ACS when used with an external CA.

What I want to get working is:

A PC with a machine cert gets connected to a switch running 802.1x. The switch uses EAP with .1x to query PC, handing this off to ACS, that bit I'm ok with. The ACS needs to query the CA server to authenticate the PC, its this process I'm not sure about.

Reading the documentation I think that I need to configure LDAP between the ACS and the CA, which is running on 64-bit 2008 server. But, ACS SE remote agent is 32 bit only.

Is this correct, if so how do I get ACS SE to communicate with a 64-bit 2008 CA server?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
aacole Wed, 04/28/2010 - 10:20
User Badges:
  • Bronze, 100 points or more

Thanks for that, I've read up on this a bit more, I cannot figure out if I actually need to use the RA for my application.

I want the PC machine certificate to be authenticated to the microsoft CA, its the ACS to CA communication process I'm not sure about. What should I use here?

netbean-09 Fri, 04/30/2010 - 06:15
User Badges:


I also configured an ACS (not 4.2 but 5.1) for machine authentication with 802.1x. I think Cert - Validation directly with the CA is'nt possible. You have to establishe a LDAP - Connection to a DC. If the Option "publish Certificate in Active Directory" in the Cert - Template of the CA is activated, all issued Certs are retrieveable on the DC. So the ACS can use the whole bunch of attributes in the DC for building Access Policies. I.E to assign the used VLAN in Order to an LDAP - Attribute, like "description" (hostbased - VLAN - Assignement).



aacole Fri, 04/30/2010 - 07:55
User Badges:
  • Bronze, 100 points or more

Hi Bernhard,

That answers my questions, having never worked with AD, CA and LDAP etc I didn’t realise that you could assign attributes at a user (machine in my case) level, although it makes perfect sense when you indicated that, as LDAP is a method of supporting user accounts right?

I suppose in that case I'll be able to assign an attribute through LDAP, which ACS will use to map that account/machine to a specific VLAN. The attribute value will be used to represent the VLAN mapping.

What component in ACS do I use to match against attributes? I don’t see anything in the NAP, NAF or RAC sections about this.

As an alternative, your reply prompted me to look at the ACS User Group mapping section, it describes mapping a windows group to an ACS group, which may also be a solution, although not as flexible as being able to match on an LDAP attribute associated with the machine accounts.

Reading through this it seems this is an area where the SE and Windows based ACS platforms differ, I'm using SE.


netbean-09 Mon, 05/03/2010 - 01:33
User Badges:

Hi Andy,

Sorry, Im not very familiar with ACS 4.2, because we started with 5.0 (this Version supports 2048 key lenght). In ACS 5.x you have a link "LDAP" in the webinterface under the section "Users and Identity Stores", where you can define the specific AD - structur of your organization (See screenshots).

In ACS 4.2, I suppose you have to do that under "External User Databases => Database Configuration => Windows Database. But before you have to Enable EAP-TS machine authentication and configure "Unknown User Policy" with the option "Check the following external userdatabases". As "External Databases, select "Network Admission Control" and as "Selected Databases" use "Windows Database". At least activate "Certificate CN comparison" in the EAP-TLS section. Dont forget to permit RAS for the client in AD. I hope it works.


aacole Tue, 05/04/2010 - 10:11
User Badges:
  • Bronze, 100 points or more

Hi Bernhard,

Thanks, I'm back on site this week so hopefully will be able to work on this soon.


jonmarso_07 Wed, 12/21/2011 - 12:53
User Badges:
Digital certificate on the ACS Wireless network:

Checking the configuration of the Wireless Notebook no longer requires the digital certificate of the ACS and NVR122 NVR123as worked in the past.

The certificate is generated for the ACS root CA trusted by the COMPANY, so that the public CA certificate supersedes theprevious ACS.

Therefore, any host that is in the field of company would have access to the wireless network.

With this, the 8021x is working with a certificate that is common to all hosts in the field of business.

How do I change it?

netbean-09 Tue, 12/27/2011 - 01:40
User Badges:

In the Cisco ACS 5.x you import all the PKI's you will trust, never mind what root the ACS - certificat (wich is used to establishe the TLS tunnel) is descended from. May be, ACS 4.x did it in the same way? If you want to disclose the machines of the old certificate, you had to delete the old certificate in a section like "User and Identity Stores" => "External Identity Stores" => "Certificate Authorities" (May be, that the structure in ACS 4.x is different).


This Discussion