Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 5.3 certificate based network access using AD

Hi,

Does anyone has implemented certificate based 802.1x authentication network access using ACS5.3 & external identity store as AD.

If yes then please let me know asap.

Ajay

2 ACCEPTED SOLUTIONS

Accepted Solutions
Gold

Re: ACS 5.3 certificate based network access using AD

When using EAP-TLS AD can come into play in one of two ways

- there is an option to perform a binary comparison on the client certificate against one stored in AD (or LDAP)

- it is possible to retrieve AD groups for the user and utilize this in authorzation

Configuration for this is done as follows:

1) Define a certificate authentication profile:

Users and Identity Stores > Certificate Authentication Profile

In the profile define the "Principal Username Attribute" - attribute that identifies user

Can optionally select "Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory"

2) If want to do authorization based on AD groups, then need to create an identity sequence

Users and Identity Stores > Identity Store Sequences

In "Authentication Method List" select "Certificate Based" and select the profile from step 1

In "Additional Attribute Retrieval Search List", select Active Directory in list of selected stores

3) Select the identity sequence as the result for the indentity policy. For example, for the policy defined by default:

Access Policies > Access Services > Default Network Access >Identity

Cisco Employee

Re: ACS 5.3 certificate based network access using AD

Ajay,

As far as EAP-TLS authentication is concerned, both LDAP and AD would serve the same purpose. However, in other aspects AD is much better than LDAP, as AD:

-allows you to use MS-Chap authentication, LDAP only allows PAP.

-allows machine authentication for domain clients, LDAP does not.

-allows nested group fetching, LDAP does not.

-allows cross domain/forest authentication, ACS does not supports it to the fullest as ACS does not support LDAP referrals.

Here is a quick reference for all the external dbs and what protocols they support:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/eap_pap_phase_ps9911_TSD_Products_User_Guide_Chapter.html#wp1014889

All in all, go with AD!!

Based on the your requirements for authenticating LAN users thru switches using certificates (EAP-TLS), here is what you require:

1] A server certificate for ACS generated by a Certification Authority (your inhouse CA.) Follow these steps:

Generating a Certificate Signing Request <>

Binding CA Signed Certificates <>

2] The root CA certificate of the same CA who issued the server certificate for ACS. This root CA certificate has to/will be installed on all the LAN clients and on the ACS. This has to be done by the AD admin of your company or you can do it manually for every LAN client.

3] A client certificate on all the LAN clients from your inhouse CA (preferable the same CA at step 1). This can be pushed through GPO by AD admins of your company. No manual effort required.

4] Switch to be configured for authenticating the LAN users. Enable dot1x (802.1x). Here are the steps:

· Catalyst 2950 <>

· Catalyst 3550 <>

· Catalyst 4500 <>

· Catalyst 6500 <>

5] ACS 5.3 to be integrated with AD -- you are already working on it.

6] ACS to be installed with the root CA certificate of the CA who issued the certificate to ACS. Additionally, install the root CA certificate of the CA who issued the certificate to the clients, (if it’s not the same CA.) Refer to this section of the document:

Install the Root CA Certificate on ACS 5.x <>

7] A certificate authentication profile to be configured on the ACS for EAP-TLS authentication.

8] An Identity sequence to be configured, so that you can fetch the group membership of the user from AD (required for assigning VLAN later).

9] Authorization profiles to be configured on ACS for VLAN assignment using RADIUS attributes 64,65 and 81.

10] Access service > Identity to be configured to point to the Identity Sequence.

11] Access service > Authorization to be configured to check the group membership of the user from AD, and then assign different Authorization Profiles (created at step 9) to assign desired VLANs.

Step 7-11 we will discuss once we have got through to step 6.

Regards,

Dev

13 REPLIES
Cisco Employee

ACS 5.3 certificate based network access using AD

Ajay,

I can help you with your questions, eap-tls design & configuration. Please let me know at which stage of eap-tls implementation you are at?

-Configuring the ACS 5.3 for Active Directory

-Configuring the ACS 5.3 for eap-tls authentication

-Configuring the switches for 802.1x

-Configuring the wired clients for eap-tls

Regards,

Dev

Community Member

Re: ACS 5.3 certificate based network access using AD

Hey thanks for quick reply.

I was just checking Cisco docuemntation and there LDAP is mentioned for EAP-TLS authentication so I was just confused can I used AD or not.

I checked with server guys and they told that AD is better option, also I think AD is better and recommened also.

can you confirm about this.

Also I am working on a criteria in which LAN users will connect to switches and switches will authenticate users via ACS5.3 using certificate based authentications.

I am currently comrdinating with other teams to get AD integrated. But by the mean time could you please let me know what else will be required.

My requiredment is just to put the users in specific vlan once they authenticated and vlan should be decided based on Groups in AD.

Regards

Ajay

Gold

Re: ACS 5.3 certificate based network access using AD

When using EAP-TLS AD can come into play in one of two ways

- there is an option to perform a binary comparison on the client certificate against one stored in AD (or LDAP)

- it is possible to retrieve AD groups for the user and utilize this in authorzation

Configuration for this is done as follows:

1) Define a certificate authentication profile:

Users and Identity Stores > Certificate Authentication Profile

In the profile define the "Principal Username Attribute" - attribute that identifies user

Can optionally select "Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory"

2) If want to do authorization based on AD groups, then need to create an identity sequence

Users and Identity Stores > Identity Store Sequences

In "Authentication Method List" select "Certificate Based" and select the profile from step 1

In "Additional Attribute Retrieval Search List", select Active Directory in list of selected stores

3) Select the identity sequence as the result for the indentity policy. For example, for the policy defined by default:

Access Policies > Access Services > Default Network Access >Identity

Cisco Employee

Re: ACS 5.3 certificate based network access using AD

Ajay,

As far as EAP-TLS authentication is concerned, both LDAP and AD would serve the same purpose. However, in other aspects AD is much better than LDAP, as AD:

-allows you to use MS-Chap authentication, LDAP only allows PAP.

-allows machine authentication for domain clients, LDAP does not.

-allows nested group fetching, LDAP does not.

-allows cross domain/forest authentication, ACS does not supports it to the fullest as ACS does not support LDAP referrals.

Here is a quick reference for all the external dbs and what protocols they support:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/eap_pap_phase_ps9911_TSD_Products_User_Guide_Chapter.html#wp1014889

All in all, go with AD!!

Based on the your requirements for authenticating LAN users thru switches using certificates (EAP-TLS), here is what you require:

1] A server certificate for ACS generated by a Certification Authority (your inhouse CA.) Follow these steps:

Generating a Certificate Signing Request <>

Binding CA Signed Certificates <>

2] The root CA certificate of the same CA who issued the server certificate for ACS. This root CA certificate has to/will be installed on all the LAN clients and on the ACS. This has to be done by the AD admin of your company or you can do it manually for every LAN client.

3] A client certificate on all the LAN clients from your inhouse CA (preferable the same CA at step 1). This can be pushed through GPO by AD admins of your company. No manual effort required.

4] Switch to be configured for authenticating the LAN users. Enable dot1x (802.1x). Here are the steps:

· Catalyst 2950 <>

· Catalyst 3550 <>

· Catalyst 4500 <>

· Catalyst 6500 <>

5] ACS 5.3 to be integrated with AD -- you are already working on it.

6] ACS to be installed with the root CA certificate of the CA who issued the certificate to ACS. Additionally, install the root CA certificate of the CA who issued the certificate to the clients, (if it’s not the same CA.) Refer to this section of the document:

Install the Root CA Certificate on ACS 5.x <>

7] A certificate authentication profile to be configured on the ACS for EAP-TLS authentication.

8] An Identity sequence to be configured, so that you can fetch the group membership of the user from AD (required for assigning VLAN later).

9] Authorization profiles to be configured on ACS for VLAN assignment using RADIUS attributes 64,65 and 81.

10] Access service > Identity to be configured to point to the Identity Sequence.

11] Access service > Authorization to be configured to check the group membership of the user from AD, and then assign different Authorization Profiles (created at step 9) to assign desired VLANs.

Step 7-11 we will discuss once we have got through to step 6.

Regards,

Dev

Community Member

ACS 5.3 certificate based network access using AD

Thanx to both of you.

I will do AD integration and get back to you on this.

Regards

Ajay

Community Member

ACS 5.3 certificate based network access using AD

Hi,

I am done with almost all things but facing one issue currently, When i am selecting the Binary comparision method against AD, authentication is getting failed and getting below error

"22049 Binary comparison of certificates failed"

Had somoene faced this issue in ACS5.3.

Please respond asap.

Regards

Ajay

Gold

ACS 5.3 certificate based network access using AD

Maybe a silly question but just to be sure. Do you store the certificates in AD

Community Member

ACS 5.3 certificate based network access using AD

HI,

Actually server admin had done the certification requirment and might be while geenrating certificate some option were not checked correctly which might be causing this.

I will ask them again and verify this. But your guidance about implementatin was very helpful.

Currently I in authentication profile I had unchecked that option and it is working fine then also,

Ajay

Community Member

Re: ACS 5.3 certificate based network access using AD

I have the same issue, Have you done the issue. authentication using certificate and ad, Tks!

Sent from Cisco Technical Support iPhone App

Community Member

ACS 5.3 certificate based network access using AD

Hi,

I am stuck with CRL checking . While adding PKI URL is root certificate inside CA, I am getting { PKI error "Could not add Certificate Revocation List" }

Could you help me on this ?

Regards

Ajay

Community Member

ACS 5.3 certificate based network access using AD

Hello,

I have a scenario where several iphones/ipads have to be authenticated via Cisco ACS 5.3 and WLC. Currently, all the idevices are using PEAP with username/passwords and this is required to be moved to an EAP-TLS based configuration, so that there is no need to enter username/password credentials on the idevice and the clients will rely on only on certificate based authentication.

In the current ACS setup,  the Identity store sequence configuration is password based and this general sequence is mapped to the access service profiles for Default Network Access (external AD) for all users. If we create a new IDentity store and select the "Certificate based" option, then a new access service policy has to be defined to map all the idevices to this ID sequence, which means creation of additional access service policies. Currently there are two service policies one for device access and one for network access and i am not sure if by creating new policy how the idevice traffic will hit this policy. Please advise how do we go about implementing this feature for idevices with no  username/password credentials but should use only certificate based authentication.

Thanks very much in advance.

ACS 5.3 certificate based network access using AD

Mohan,

Check my post on the other thread and you should be good to go!

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Silver

ACS 5.3 certificate based network access using AD

More details can be found on the below mentioned document.

https://supportforums.cisco.com/docs/DOC-27489

Regards

Anim Saxena

10528
Views
10
Helpful
13
Replies
CreatePlease to create content