cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1147
Views
0
Helpful
3
Replies

ACS 3.2(1) and CRL checking - HOW!!

pdotchon
Level 1
Level 1

I am testing ACS 3.2(1) for use in a wireless EAP-TLS network and have setup Microsoft CA on a Win2K server / AD and Domain controller.

This all works and I have machine authentication working too.

How do I get ACS to block access for a particular user/certificate? I want to demonstrate what happens if a laptop is stolen / certificate is compromised, but it seems ACS does not check any Certificate Revocation Lists (CRLs) so how is this possible?

Another possibility is that ACS offers to do a binary comparison of the certificate presented by the user, with the certificate stored in Active Directory? I don't know how or if this could be used to achieve the same thing, perhaps by being able to remove or replace the AD copy of the user certificate in some way?

It does seem rather incredible that ACS can't do this, otherwise it rather defeats the whole object, doesn't it? I realise I can block the UserID, but that means a user would have to be issued a new ID whenever a compromise was identified or suspected, which is not much good!

I would welcome any comments or suggestions!

Thanks in advance,

-phil

3 Replies 3

gfullage
Cisco Employee
Cisco Employee

You've basically figured out how to do certificate checking already.

In 3.1 and above they added functionality to do binary comparisons of the EAP-TLS cert and the cert stored in the user object in the AD database. If you enable this (under System Config - Global Authentication Setup - EAP-TLS), all you need to do is remove the cert from the user object in AD (if that person leaves or their laptop is stolen) and that user/machine will no longer be able to connect.

Ahhh OK, I can see how that would work.

Can you tell me how to do this? Or can you direct me to the documents? I've read the EAP-TLS deployment guide but that doesn't cover it. What I need to understand is how to publish a user cert in AD and how to manage that, i.e. remove it or change it etc.

My CA is setup as an enterprise root authority, so I think this should happen automatically but I don't know how to check. Can this still be done with a stand alone CA?

Thanks for your help with this!

Can anyone direct me to information about how to manage / view / publish a user certificate in Active Dirctory as discussed?

Cheers,

-phil

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: