ACS 4.2 and machine based certificate authentication

Unanswered Question
Aug 17th, 2010
User Badges:
  • Bronze, 100 points or more

We had a consultant set up our wireless infrastruction a couple of years ago and for the most part I was hands off (big mistake).  He did a great job setting it up, but I got zero knowledge transfer.

We authenticate laptop users using machine certificates with a Microsoft CA and Cisco ACS 4.2 server.  I can't for the life of me figure out how/where he configured the ACS to specifically look for the certificate and check the CA for it being valid.  Any ideas where this is done in the ACS server?

The reason I ask is that we are considering rolling out wired 802.1x and purchasing a new ACS appliance (5.2).  I want to make sure I have a firm grasp on the setup before I move forward though.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Javier Henderson Tue, 08/17/2010 - 11:48
User Badges:
  • Cisco Employee,

Look in System Configuration -> Global Authentication

Also under System Configuration you will see a link to the certificate setup section.

Christopher Bell Tue, 08/17/2010 - 12:53
User Badges:
  • Bronze, 100 points or more

Thanks!  I hadn't noticed that.  I'm still a bit confused though on how all this works.

Wireless Client --> WLC --> Cisco ACS --> CA

I see now where the ACS server is configured to accept EAP-TLS, but how does it know who to accept it from.  For instance, when I wireshark the ACS I see the auth request and auth challenge coming from the WLC, but how does the ACS server know that it should be authenticating these?

I'm probably looking for something that doesn't exist, and I'm proably trying to think of this like a switch or router config that you can just peruse throught he CLI and find what you need.  In any event, a random client sending an authentication request over EAP-TLS shouldn't be authenticated for the heck of it... there has to be somthing in the ACS that is specifically configured to look for these requests to authenticate these paticular clients.

andamani Sat, 02/05/2011 - 21:08
User Badges:
  • Cisco Employee,

Hi Christopher,

To answer that question.

Lets say an authentication request is coming from the client.

The client is using certificates.

You need to install the Identity certificates and the root CA on the ACS. In this way the ACS will store the certificates in its cert store.

Also for authentication to be successful, you need to trust the certificate authority.

When the authentication request of certificate will come to the ACS, it will check the certificate store and see if the certificate authority is present there or not. If it is present, it will check if the CA is trusted or not. If the CA is trusted then the authentication will be successful depending on the protocol being used and settings for the same.

The above is just a outline.

The following link of ACS 4.2 will help you in configuration of the same. I would say please read it carefully.

Hope this helps.



-Do rate helpful posts.


This Discussion