Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS in the Active Directory environment

Hi forumers'

Asking,

question 1. in the typical active directory environment and doing wireless/wired 802.1x authentication on endpoints, should ACS join as a domain computer? 

question 2. for the endpoint (domain computer) join the domain, in this case is the endpoint will trust the ACS ( also domain computer) ?

question 3. what if there's a GPO policy to install the rootCA certificate toward the endpoints. In this case,  ACS should issue the CSR and let the domain CA to signed as the identity certificate? Am i correct?

thanks

Noel

1 ACCEPTED SOLUTION

Accepted Solutions

ACS in the Active Directory environment

Noel

Answers

question  1. in the typical active directory environment and doing wireless/wired  802.1x authentication on endpoints, should ACS join as a domain  computer? 

Yes since most protocols used by endpoints is peap (eap-mschapv2) this is the only way to get this to work, since ldap doesnt support this protocol. If you are using eap-tls you can choose to use AD as an LDAP store.

question  2. for the endpoint (domain computer) join the domain, in this case is  the endpoint will trust the ACS ( also domain computer) ?

Once authentication is succeeded (assuming user authentication) the machine will have open access to the network to join the domain, if performing machine authentication the workstation will have to be joined already prior to being released to the dot1x network. The workstation only trusts the ACS with the certificate presented for authentication, it doesnt have any other information and doesnt know if it is part of the domain.

question  3. what if there's a GPO policy to install the rootCA certificate  toward the endpoints. In this case,  ACS should issue the CSR and let  the domain CA to signed as the identity certificate? Am i correct?

GPO to endpoints for the root CA shouldnt be a problem, but it would be best to have your root CA sign the ACS CSR if that is what you are asking. You will have to also enable a GPO to validate the server certificate (but I havent done this before but I am sure it exists on which root CA to trust).

thanks

Tarik Admani

Tarik Admani *Please rate helpful posts*
2 REPLIES

ACS in the Active Directory environment

Noel

Answers

question  1. in the typical active directory environment and doing wireless/wired  802.1x authentication on endpoints, should ACS join as a domain  computer? 

Yes since most protocols used by endpoints is peap (eap-mschapv2) this is the only way to get this to work, since ldap doesnt support this protocol. If you are using eap-tls you can choose to use AD as an LDAP store.

question  2. for the endpoint (domain computer) join the domain, in this case is  the endpoint will trust the ACS ( also domain computer) ?

Once authentication is succeeded (assuming user authentication) the machine will have open access to the network to join the domain, if performing machine authentication the workstation will have to be joined already prior to being released to the dot1x network. The workstation only trusts the ACS with the certificate presented for authentication, it doesnt have any other information and doesnt know if it is part of the domain.

question  3. what if there's a GPO policy to install the rootCA certificate  toward the endpoints. In this case,  ACS should issue the CSR and let  the domain CA to signed as the identity certificate? Am i correct?

GPO to endpoints for the root CA shouldnt be a problem, but it would be best to have your root CA sign the ACS CSR if that is what you are asking. You will have to also enable a GPO to validate the server certificate (but I havent done this before but I am sure it exists on which root CA to trust).

thanks

Tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

ACS in the Active Directory environment

Hi Tarik,

Thanks for the reply. So it's always good to get the ACS join as doamin computer and issue CSR to let the CA server signed of it.

thanks

472
Views
0
Helpful
2
Replies
CreatePlease to create content