Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS with PKI

I am a ACS server for authentication/authorization of client's, routers/switches/users. This same ACS server I am also using for authorizing the router to use certificates (av-pair cert-application=all). For this to work you need to create a user (FQDN of router) in ACS.

The side affect is that anybody can use this username and password to login to any device in this setup. I did limit the privilege to 0 so no enable rights are possible

Is there a possibility on the ACS to make sure that this user is only allowed to use certificates and can't login at all?

1 REPLY
Silver

Re: ACS with PKI

If you use EAP-TLS, you will need more ACS servers; but, if you use PEAP, you will need fewer. EAP-TLS is slower than PEAP due to public-key infrastructure (PKI) processing time.

531
Views
0
Helpful
1
Replies
CreatePlease login to create content