Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1765
Views
5
Helpful
3
Replies

ACS 4.2 and machine based certificate authentication

Christopher Bell
Level 4
Level 4

‎08-17-2010 05:34 AM - edited ‎03-10-2019 05:20 PM

We had a consultant set up our wireless infrastruction a couple of years ago and for the most part I was hands off (big mistake).  He did a great job setting it up, but I got zero knowledge transfer.

We authenticate laptop users using machine certificates with a Microsoft CA and Cisco ACS 4.2 server.  I can't for the life of me figure out how/where he configured the ACS to specifically look for the certificate and check the CA for it being valid.  Any ideas where this is done in the ACS server?

The reason I ask is that we are considering rolling out wired 802.1x and purchasing a new ACS appliance (5.2).  I want to make sure I have a firm grasp on the setup before I move forward though.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
Labels:
0 Helpful
3 Replies 3

Javier Henderson
Level 4
Level 4

‎08-17-2010 11:48 AM

Look in System Configuration -> Global Authentication

Also under System Configuration you will see a link to the certificate setup section.

Christopher Bell
Level 4
Level 4
In response to Javier Henderson

‎08-17-2010 12:53 PM

Thanks!  I hadn't noticed that.  I'm still a bit confused though on how all this works.

Wireless Client --> WLC --> Cisco ACS --> CA

I see now where the ACS server is configured to accept EAP-TLS, but how does it know who to accept it from.  For instance, when I wireshark the ACS I see the auth request and auth challenge coming from the WLC, but how does the ACS server know that it should be authenticating these?

I'm probably looking for something that doesn't exist, and I'm proably trying to think of this like a switch or router config that you can just peruse throught he CLI and find what you need.  In any event, a random client sending an authentication request over EAP-TLS shouldn't be authenticated for the heck of it... there has to be somthing in the ACS that is specifically configured to look for these requests to authenticate these paticular clients.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to Christopher Bell

‎02-05-2011 09:08 PM

Hi Christopher,

To answer that question.

Lets say an authentication request is coming from the client.

The client is using certificates.

You need to install the Identity certificates and the root CA on the ACS. In this way the ACS will store the certificates in its cert store.

Also for authentication to be successful, you need to trust the certificate authority.

When the authentication request of certificate will come to the ACS, it will check the certificate store and see if the certificate authority is present there or not. If it is present, it will check if the CA is trusted or not. If the CA is trusted then the authentication will be successful depending on the protocol being used and settings for the same.

The above is just a outline.

The following link of ACS 4.2 will help you in configuration of the same. I would say please read it carefully.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAuth.html#wp373226

Hope this helps.

Regards,

Anisha

-Do rate helpful posts.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents