Solved: Re: Cisco ACS with External DB - EAP-TLS - Page 2

kfarrington · ‎08-27-2008

Hi Guys,

I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.

Let say both user and computer certs are employed:

1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.

2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?

2b. Wot is the paramater that is checked against the AD database?

I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517

Client Certificates

Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:

CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.

SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.

Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".

3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?

Please can someone help me with these points.

I am so lost in this stuff :)) I think.

Many thx and many kind regards,

Ken

kfarrington · ‎08-28-2008

Just out of interest, the pass was on an internal ACS DB correct and the fail was on an external DB?

Just as one said consulting the external DB and one did not?

Ta fella

Ken

Premdeep Banga · ‎08-28-2008

When authentication passed the userid was on Ext. database (AD). I see where you are looking, the ACS debugs somehow did not provided enough information, when it actually checked against the AD database. But the userid was on AD.

Another, proof that user was checked against the AD is, the user ID would be cached dynamically on the ACS database, under "User Setup" section on ACS, and its password authentication would be automatically selected as "Windows Database".

HTH

Regards,

Prem

kfarrington · ‎08-28-2008

thx man, take care and thx for the huge help here.

Ken

kfarrington · ‎03-03-2009

Hey Prem, and all,

Long time no speak.

Saw this thread and thought this was very cool :))

I have one last question here.

On the ACS, there is the concept of using setting username during authentication.

Select one of the following options for setting username during authentication:

Use Outer Identity

Use CN as Identity

Use SAN as Identity

I dont fully understand this part of the eap-tls setup, as you are setting the comparison type before these options, ie just above on the ACS where you use CN/SAN/Binary?

Cany anyone confirm what this bit actually does?

Many thx indeed,

Kind regards,

Ken

ansalaza · ‎03-03-2009

Some related documentation:

You can specify which user identity ACS uses when sending an authentication request after the EAP-TLS authentication handshake is completed. use this option to search for a user in the database based on the identity you chose. By default, outer identity is used for EAP-TLS authentication. Select one of the following options:

â€¢Use Outer Identity-The outer identity is taken as the username to search for in the database.

â€¢Use CN as Identity-The Certificate Name is taken as the username to search for in the database.

â€¢Use SAN as Identity- The Subject Alternative Name from the user certificate is taken as the username to search for in the database.

Note SAN and CN outer identities cannot be used for EAP TLS machine authentication.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAuth.html#wpmkr468336

kfarrington · ‎03-04-2009

Hi There,

I am really sorry her, that I dont understand.

So, the way I understand it to work.

EAP-TLS auth happens. At this point, certs exhchanged, we use with SAN or CN to compare from cert, to active directory and then auth is sent back from AD to ACS and ACS sends eap-sucess/fail message to client.

That is dictated in the first config section of the ACS for eap-tls.

Now, the second part, I am still lost on? when does eap-tls do authentication outside or after eap-tls has been acheived?

I am confused?

Many Thx, once again,

Ken