I have ASA and I am using ACS server is a VM Ware applicance.
My question now is I would like to authenticate two different types of devices from a single Radius client.
Device 1 – Authenticating using Username and Password from Domain1 and Device Certificate from CA1
Device 2 – Authenticating using Username and Password from Domain 2 and User Certificate from CA2
Can a single Cisco ACS server be configured to do this? If not can 2 Cisco ACS servers be configured to do this bearing in mind it is a single Radius client which can only direct authentication traffic to a single Radius server?
I am using EAP method as a local certificate for that CA which is been istalled on the ACS and that cert which is locally needs to be assigned to the EAP Protocol.
Hence to proceed further I want to authenticate EAP against a second certificate authority. I can load a local certificate from this CA as well but the EAP protocol can only be assigned to one cert at a time so EAP authentication to this CA fails.
EG: I see the certificate cert1 under System Admin->Config -?Local certi -? Issueby cert1 protocol:EAP.
Error on the client says : No root certificate installed to validate authentication.
yes it's quite easy. ACS can authenticate against 2 CAs, you simply have to add those 2 CA certificates in the CA trust list.
I think you have a kind of confusion on the certificate topic.
The certificate you install on ACS must be a certificate that the client will trust.
The client certificate must be a certificate that ACS trusts.
To trust the client certitificate, it must be issued by a CA that the ACS trusts to be more precise so it just requires you to have added that CA to the trusted Authorities in ACS.
For the client to trust the ACS, the ACS certificate needs to have been issued by a CA that the client trusts. So if your client are from multiple different domains, then you need to manually install the ACS certificate (or its CA) on the clients.
Hope this clarifies.
don't forget to rate answers that you find useful.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :