We want to implement a wireless secure network using eap-tls. We are using ACS appliance 3.3 version and trapeze access points. The clients are windows XP. During testing at lab ,wedidnt use Active directory. The ca in the lab was installed on standlone server, acs 4.0 on the same machine. on the acs we created the users in the local database of acs and used the certificates with the same user name to te clients. So it was working fine with user certificates.
Now we want to do the same in the production environment using AD.
Does CA need to exist on the server being domain controller or it can be a standlone CA running on a server within the AD domain.
we want only machine authentication to happen using EAP-TLS and not the user authentication.
apart from enabling eap-machine authentication, installing CA certificates and mapping the groups -both the computer accounts and user accounts. do we need anything else to be done on the ACS
i am also doing he same thing but ina diff environment not for the device inside the company network but i am lookin for something when i can have the macine authentication for the easy vpn users accessing the company network , so m/c authentication need to be done over the vpn tunnel for the easy vpn users using the certificate issued by the domain controller
Have one query from where r u getting the certificate for m/c authentication from a windows based certificate authority or as in my process the certificate issued by the domain controller for all domain m/c
* You need a CA "somewhere". It need not be on a domain controller. It can be a standalone private CA that you can setup, or you could purchase certs, and let someone else bother with this "burden" (like Verisign, Entrust, etc.). The CA need not be part of the domain either, but AD can help distribute certs, and cert-trust.
* If you want only machine authentication to happen using EAP-TLS and not the user authentication, then you need to specialize your supplicant config. Assuming it's Windows, this is available via registry keys, and is not a default setting.
* The only other thing you'd need to really do on ACS (apart from a vanilla config) is to explicitly enable/permit machine auth for Windows in the backend db config portion.
* As for VPN, this (802.1X) won't work well unless you also manage/operate the first L2 hop the computer plugs into (since it needs to be setup to talk to your RADIUS server, etc.)
Thanx for the reply. If we use standalone CA how can AD distribute machine certifcates. As i knw we have to enroll manually and if we do manually whts shd be the CN field, shd it be the hostname or a fully qualified domain name. If using standalone CA and trusted in AD ,is there a option to do autoenrollment.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :