802.1x Authentication

Unanswered Question
May 14th, 2010

All,


Just looking for some more information on wired 802.1x authentication.  I currently run ACS 4.1, and I know that it can be integrated with AD for authentication purposes.  Does anyone have information on whether or not you can take it a step further & use CAC / smartcard authentication?  There's not much information that I can find about this topic, so anything posted is helpful!

Thanks -

Jon

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kent Heide Fri, 05/14/2010 - 11:34

The ACS supports RSA among other things. What solution are you running?

Jkloza_2 Fri, 05/14/2010 - 11:48

We're currently using CAC authentication (Common Access Cards).  I did see that RSA is supported, but we don't use

RSA tokens right now.

Thanks

sjbdallas Fri, 05/14/2010 - 13:37

With the CAC cards, don't you end up pointing to an LDAP to verify the certificate?  I would assume that all you'd need to do is make sure you have the

root and subordinate certs trusted in ACS then point to an LDAP as the external directory (instead of AD) where you can verify the certs.

HOWEVER, my experience with 802.1x and ACS (limited as it may be) has been that you still need a supplicant on the client side to handle the certificate auth communication.

Jatin Katyal Fri, 05/14/2010 - 14:20

Jon,


CAC authentication will be done via EAP-TLS on the ACS.  Here is a configuration example and the EAP-TLS configuration guide for ACS:
   
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml
   
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAuth.html#wp325971

How do I use a CAC


Certificates are stored on the chip embedded in the Common Access Card (CAC). The chip also contains a processor, which responds to two protocols, PKCS#11 and Microsoft CAPI. To use a CAC, the workstation must have a smart card reader installed and must have  software installed that enables the interaction between the application and the CAC, called middleware. The installation of smart card readers and middleware is the responsibility of
the command that controls the workstation configuration. Once the reader and middleware have been installed, some applications, including Microsoft
Outlook and Microsoft Internet Explorer, require configuration to install the certificates from the smart card into the application. The private keys never leave the card, but the configuration step tells the application that the private key associated with the certificate can be found on the CAC. This configuration is also the responsibility of the command that controls the workstation configuration, but requires that the card be present in the card reader to perform the configuration. After the workstation is configured, using the CAC involves putting the card in the reader prior to use, and using the user interface provided by the PK-Enabled client application to sign, decrypt, or identify yourself to PK-Enabled information systems. The CAC must be unlocked prior to use by entering the PIN when requested. If the PIN is entered incorrectly four times in a row, the CAC will lock and require a visit to a RAPIDS terminal or a CAC
PIN Reset station for unlocking.

Regds,

JK


Do rate helpful posts-

Actions

This Discussion