05-18-2010 06:24 AM - edited 03-10-2019 05:08 PM
Working with implementing EAP-TLS in an environment where we have two completely separate Microsoft Active Directory's (different forests, non-trusted). Each AD has its own certificate authority. We want out Cisco Secure ACS 3.2X server to be able to do machine authentication for both domains.
Is it possible to have the ACS authenticate clients with certificates from various ADs/CAs?
Thanks!
05-24-2010 12:50 PM
Ok so we set up a generic LDAP query second domain's active directory domain controller utilizing credentials that are domain admin on that domain and imported this domain's certificate authority's root certificate into the certificate authority trust list in ACS. Everything I see says this should work but we get the error on the client side that the client does not trust the certificate.
Any ideas?
05-24-2010 02:56 PM
Andrea,
I assume you are seeing this on clients in the AD domain other than the one of the CA that issued the ACS's certficate?
That being the case, you need to export out the Root CA cert from your ACS servers domain and import that to the Trusted Root Certification Authorities store on your client machines in the other domain (you can distribute this cert via group policy), then configure the supplicant (I assume you are using a native windows supplicant?) to trust that CA in the Validate Server Certificate oiption on Authentication tab in the Network Connection properties.
Regards
Andy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: