I am testing ACS 3.2(1) for use in a wireless EAP-TLS network and have setup Microsoft CA on a Win2K server / AD and Domain controller.
This all works and I have machine authentication working too.
How do I get ACS to block access for a particular user/certificate? I want to demonstrate what happens if a laptop is stolen / certificate is compromised, but it seems ACS does not check any Certificate Revocation Lists (CRLs) so how is this possible?
Another possibility is that ACS offers to do a binary comparison of the certificate presented by the user, with the certificate stored in Active Directory? I don't know how or if this could be used to achieve the same thing, perhaps by being able to remove or replace the AD copy of the user certificate in some way?
It does seem rather incredible that ACS can't do this, otherwise it rather defeats the whole object, doesn't it? I realise I can block the UserID, but that means a user would have to be issued a new ID whenever a compromise was identified or suspected, which is not much good!
You've basically figured out how to do certificate checking already.
In 3.1 and above they added functionality to do binary comparisons of the EAP-TLS cert and the cert stored in the user object in the AD database. If you enable this (under System Config - Global Authentication Setup - EAP-TLS), all you need to do is remove the cert from the user object in AD (if that person leaves or their laptop is stolen) and that user/machine will no longer be able to connect.
Can you tell me how to do this? Or can you direct me to the documents? I've read the EAP-TLS deployment guide but that doesn't cover it. What I need to understand is how to publish a user cert in AD and how to manage that, i.e. remove it or change it etc.
My CA is setup as an enterprise root authority, so I think this should happen automatically but I don't know how to check. Can this still be done with a stand alone CA?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :