When using EAP-TLS AD can come into play in one of two ways

- there is an option to perform a binary comparison on the client certificate against one stored in AD (or LDAP)

- it is possible to retrieve AD groups for the user and utilize this in authorzation

Configuration for this is done as follows:

1) Define a certificate authentication profile:

Users and Identity Stores > Certificate Authentication Profile

In the profile define the "Principal Username Attribute" - attribute that identifies user

Can optionally select "Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory"

2) If want to do authorization based on AD groups, then need to create an identity sequence

Users and Identity Stores > Identity Store Sequences

In "Authentication Method List" select "Certificate Based" and select the profile from step 1

In "Additional Attribute Retrieval Search List", select Active Directory in list of selected stores

3) Select the identity sequence as the result for the indentity policy. For example, for the policy defined by default:

Access Policies > Access Services > Default Network Access >Identity

Ajay,

As far as EAP-TLS authentication is concerned, both LDAP and AD would serve the same purpose. However, in other aspects AD is much better than LDAP, as AD:

-allows you to use MS-Chap authentication, LDAP only allows PAP.

-allows machine authentication for domain clients, LDAP does not.

-allows nested group fetching, LDAP does not.

-allows cross domain/forest authentication, ACS does not supports it to the fullest as ACS does not support LDAP referrals.

Here is a quick reference for all the external dbs and what protocols they support:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/eap_pap_phase_ps9911_TSD_Products_User_Guide_Chapter.html#wp1014889

All in all, go with AD!!

Based on the your requirements for authenticating LAN users thru switches using certificates (EAP-TLS), here is what you require:

1] A server certificate for ACS generated by a Certification Authority (your inhouse CA.) Follow these steps:

Generating a Certificate Signing Request <>

Binding CA Signed Certificates <>

2] The root CA certificate of the same CA who issued the server certificate for ACS. This root CA certificate has to/will be installed on all the LAN clients and on the ACS. This has to be done by the AD admin of your company or you can do it manually for every LAN client.

3] A client certificate on all the LAN clients from your inhouse CA (preferable the same CA at step 1). This can be pushed through GPO by AD admins of your company. No manual effort required.

4] Switch to be configured for authenticating the LAN users. Enable dot1x (802.1x). Here are the steps:

· Catalyst 2950 <>

· Catalyst 3550 <>

· Catalyst 4500 <>

· Catalyst 6500 <>

5] ACS 5.3 to be integrated with AD -- you are already working on it.

6] ACS to be installed with the root CA certificate of the CA who issued the certificate to ACS. Additionally, install the root CA certificate of the CA who issued the certificate to the clients, (if it’s not the same CA.) Refer to this section of the document:

Install the Root CA Certificate on ACS 5.x <>

7] A certificate authentication profile to be configured on the ACS for EAP-TLS authentication.

8] An Identity sequence to be configured, so that you can fetch the group membership of the user from AD (required for assigning VLAN later).

9] Authorization profiles to be configured on ACS for VLAN assignment using RADIUS attributes 64,65 and 81.

10] Access service > Identity to be configured to point to the Identity Sequence.

11] Access service > Authorization to be configured to check the group membership of the user from AD, and then assign different Authorization Profiles (created at step 9) to assign desired VLANs.

Step 7-11 we will discuss once we have got through to step 6.

Regards,

Dev