Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

EAP-TLS authentication with ACS 5.2

Hi all,

I have question on EAP-TLS with ACS 5.2.

If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place?

Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?

If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?

And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.

And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?

Hope you guys can help on this. THanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

EAP-TLS authentication with ACS 5.2

Hope this will answer most of your questions:

Client or user certificate

http://www.cisco.com/en/US/partner/tech/tk59/technologies_tech_note09186a00804b976b.shtml#t10

Machine certificate

http://www.cisco.com/en/US/partner/tech/tk59/technologies_tech_note09186a00804b976b.shtml#t15

In case of EAP-TLS we have to have machine and user certificate installed on the machines.

Regards,

Jatin

Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
7 REPLIES
Cisco Employee

EAP-TLS authentication with ACS 5.2

Hope this will answer most of your questions:

Client or user certificate

http://www.cisco.com/en/US/partner/tech/tk59/technologies_tech_note09186a00804b976b.shtml#t10

Machine certificate

http://www.cisco.com/en/US/partner/tech/tk59/technologies_tech_note09186a00804b976b.shtml#t15

In case of EAP-TLS we have to have machine and user certificate installed on the machines.

Regards,

Jatin

Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: EAP-TLS authentication with ACS 5.2

Hi Jatin,

Thanks for the reply. But what about the user own device? will the user be able to get the user certificate on their own?

If using both user cert and machine cert, then user will not be challenged for any credential during the authentication process right?

Regards,
David

Cisco Employee

Re: EAP-TLS authentication with ACS 5.2

If the user is not a part of the domain, they won't get a certificate hence they won't be able to connect.

In EAP-TLS, there is no user/password prompt. It's a pure certificate authenticate so yes users will not get any prompt for username and password.

Regards,

Jatin

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: EAP-TLS authentication with ACS 5.2

Hi Jatin,

One last question, wondering whether have you come across doing machine authentication only?

Let's forget about the EAP-TLS, if I am using PEAP and ms-chapv2, and i would only like to do machine authentication. As long as the computer is part of domain computers, they will be able to access to the network right?

What if this computer is part of domain computer, but user logged in to local PC instead of domain, will they still get full access to the network?

Thanks.

Regards,

David

Cisco Employee

Re: EAP-TLS authentication with ACS 5.2

Yes, you can configure:

machine authentication only

user authentication only

Machine and user authentication.

Machine or user authentication

So machine authentication only is quite common scenarion. Correct, as long as machine is a part of a domain, you will be authenticated via machine authentication.

PEAP-based machine authentication uses PEAP (EAP-MS-CHAPv2) and the password for the computer established automatically when it was added to the Microsoft Windows domain. The computer sends its name as the username and the format is:

host/computer.domain

If the machine is a valid machine in the domain then during the boot process, once the HAL is loaded, the system begins loading device drivers to support the various hardware devices configured on the client in question. After loading the device drivers, the network interface is initialized. At this point, machine start getting ip address and once it done, the user may have access to most of the network.

Regards,

Jatin

~BR Jatin Katyal **Do rate helpful posts**
New Member

EAP-TLS authentication with ACS 5.2

Hi Jatin,

is there any chance that I can have access to this document as the website says that i may not be entitiled.

I am in the same dilema about which EAP type to use and how machine authentication works with certificates.

Mario

Cisco Employee

EAP-TLS authentication with ACS 5.2

Try this:

Client or user certificate

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00804b976b.shtml#t10

Machine certificate

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00804b976b.shtml#t15

Regards,

Jatin

Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
978
Views
5
Helpful
7
Replies