Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 3.2(1) and CRL checking - HOW!!

I am testing ACS 3.2(1) for use in a wireless EAP-TLS network and have setup Microsoft CA on a Win2K server / AD and Domain controller.

This all works and I have machine authentication working too.

How do I get ACS to block access for a particular user/certificate? I want to demonstrate what happens if a laptop is stolen / certificate is compromised, but it seems ACS does not check any Certificate Revocation Lists (CRLs) so how is this possible?

Another possibility is that ACS offers to do a binary comparison of the certificate presented by the user, with the certificate stored in Active Directory? I don't know how or if this could be used to achieve the same thing, perhaps by being able to remove or replace the AD copy of the user certificate in some way?

It does seem rather incredible that ACS can't do this, otherwise it rather defeats the whole object, doesn't it? I realise I can block the UserID, but that means a user would have to be issued a new ID whenever a compromise was identified or suspected, which is not much good!

I would welcome any comments or suggestions!

Thanks in advance,


Cisco Employee

Re: ACS 3.2(1) and CRL checking - HOW!!

You've basically figured out how to do certificate checking already.

In 3.1 and above they added functionality to do binary comparisons of the EAP-TLS cert and the cert stored in the user object in the AD database. If you enable this (under System Config - Global Authentication Setup - EAP-TLS), all you need to do is remove the cert from the user object in AD (if that person leaves or their laptop is stolen) and that user/machine will no longer be able to connect.

New Member

Re: ACS 3.2(1) and CRL checking - HOW!!

Ahhh OK, I can see how that would work.

Can you tell me how to do this? Or can you direct me to the documents? I've read the EAP-TLS deployment guide but that doesn't cover it. What I need to understand is how to publish a user cert in AD and how to manage that, i.e. remove it or change it etc.

My CA is setup as an enterprise root authority, so I think this should happen automatically but I don't know how to check. Can this still be done with a stand alone CA?

Thanks for your help with this!

New Member

Re: ACS 3.2(1) and CRL checking - HOW!!

Can anyone direct me to information about how to manage / view / publish a user certificate in Active Dirctory as discussed?



CreatePlease to create content