Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ACS, Multiple CA, VLAN assignment relevant to domain

HI all,

I've been looking for a solution to a specific customer requirement.

I'd like to authenticate wireless users with certificates from different RootCA's and assign them to a VLAN based on their domain?  Ideally using the same SSID and a Cisco ACS server.

Is it possible?  Anyone seen it working?

I realise that ACS can have enterprise trust for the relevant RootCA (not sure which version is required for this?).  And that VLAN assignment is also possible from a single SSID based on RADIUS attributes.  But I'm not certain that these pieces would all fit together?!

Would really appreciate some guidance!

Thanks in advance

Rob

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cisco ACS, Multiple CA, VLAN assignment relevant to domain

Hi,

Yes all of this is possible. I would suggest you implement them one by one to make sure all is working but there is no issue in doing this. All recent versions of ACS allow this.

You can do group mapping based on AD groups (so a group for each domain if you want) and assign vlan based on this group mapping.

The ACS can trust multiple CAs and authenticate users presenting certificates from all those CAs. It's just a matter of importing those CAs certificate in the trust list.

And you can assign the vlan and only use one ssid as well.

I can't guide you on the procedure as this depends what versions you have and if you have IOS ap or WLC but it's basically every separate feature as in the config guide and just used all together.

Nicolas

===

Don't forget to rate answers that you find useful

6 REPLIES

Re: Cisco ACS, Multiple CA, VLAN assignment relevant to domain

Hi,

Yes all of this is possible. I would suggest you implement them one by one to make sure all is working but there is no issue in doing this. All recent versions of ACS allow this.

You can do group mapping based on AD groups (so a group for each domain if you want) and assign vlan based on this group mapping.

The ACS can trust multiple CAs and authenticate users presenting certificates from all those CAs. It's just a matter of importing those CAs certificate in the trust list.

And you can assign the vlan and only use one ssid as well.

I can't guide you on the procedure as this depends what versions you have and if you have IOS ap or WLC but it's basically every separate feature as in the config guide and just used all together.

Nicolas

===

Don't forget to rate answers that you find useful

New Member

Re: Cisco ACS, Multiple CA, VLAN assignment relevant to domain

Thanks for the reply Nicolas - thats really helpful

Re: Cisco ACS, Multiple CA, VLAN assignment relevant to domain

The ACS STILL does not support having more than one certificate loaded on the ACS, so you won't be able to do actual mutual certificate validation with multiple CA's when using EAP-TLS with machine/user certs. PEAP with just basic root trust will be fine for multiple CA's.

Jan

New Member

Re: Cisco ACS, Multiple CA, VLAN assignment relevant to domain

HI Jan,

Thanks also for your info, which again is very helpful for the design.

Are there any other RADIUS servers that support multiple CA's for TLS-based client auth that you are aware of?

If there is a one-to-one relationship betwen CA and RADIUS for TLS then thats fine, I'd just like to make sure.

Regards,

Rob

Cisco Employee

Re: Cisco ACS, Multiple CA, VLAN assignment relevant to domain

Hi,

What Jan wrote is not entirely true.

ACS only uses one cert for its own use (web browser and certificate authentication), however ACS supports multiple CAs for client authentication with EAP-TLS.

In a situation of mutual authentication, the clients need to trust the unique ACS cert, but the each client can use a cert issued by a diferent CA as long the ACS trusts it.

You just need to add the multiple CA certs on the ACS under

Users and Identity Stores > Certificate Authorities

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

New Member

Re: Cisco ACS, Multiple CA, VLAN assignment relevant to domain

This post makes me question my stance as well, up until now I've agreed with Jan in that I have have had no success trusting certificates from two different Root CA's.

Is there something I'm missing?  I have both roots and all subca certificates imported into Users and Identity Stores > Certificate Authorities and each one has the Trust for client with EAP-TLS: option checked. Still didn't work, and then in troubleshooting I noticed the following:

The option that seemed to decide which certificate chain would be trusted is System Administration > Local Certificates, this area only allows me to select one single certificate for protocol EAP, and this is supported by the fact that the certificates from the Root CA specified here do work while the other does not.

1936
Views
13
Helpful
6
Replies