Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EAP-TLS doing only machine authentication

We want to implement a wireless secure network using eap-tls. We are using ACS appliance 3.3 version and trapeze access points. The clients are windows XP. During testing at lab ,wedidnt use Active directory. The ca in the lab was installed on standlone server, acs 4.0 on the same machine. on the acs we created the users in the local database of acs and used the certificates with the same user name to te clients. So it was working fine with user certificates.

Now we want to do the same in the production environment using AD.

Questions:

Does CA need to exist on the server being domain controller or it can be a standlone CA running on a server within the AD domain.

we want only machine authentication to happen using EAP-TLS and not the user authentication.

apart from enabling eap-machine authentication, installing CA certificates and mapping the groups -both the computer accounts and user accounts. do we need anything else to be done on the ACS

5 REPLIES
Bronze

Re: EAP-TLS doing only machine authentication

The following document may be helpful for you . It talks about the deployment of EAP-TLS authentication.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml

New Member

Re: EAP-TLS doing only machine authentication

Hi follow

i am also doing he same thing but ina diff environment not for the device inside the company network but i am lookin for something when i can have the macine authentication for the easy vpn users accessing the company network , so m/c authentication need to be done over the vpn tunnel for the easy vpn users using the certificate issued by the domain controller

Have one query from where r u getting the certificate for m/c authentication from a windows based certificate authority or as in my process the certificate issued by the domain controller for all domain m/c

Please guide me

Thanks & regards

Manish

Cisco Employee

Re: EAP-TLS doing only machine authentication

A few things here:

* You need a CA "somewhere". It need not be on a domain controller. It can be a standalone private CA that you can setup, or you could purchase certs, and let someone else bother with this "burden" (like Verisign, Entrust, etc.). The CA need not be part of the domain either, but AD can help distribute certs, and cert-trust.

* If you want only machine authentication to happen using EAP-TLS and not the user authentication, then you need to specialize your supplicant config. Assuming it's Windows, this is available via registry keys, and is not a default setting.

* The only other thing you'd need to really do on ACS (apart from a vanilla config) is to explicitly enable/permit machine auth for Windows in the backend db config portion.

* As for VPN, this (802.1X) won't work well unless you also manage/operate the first L2 hop the computer plugs into (since it needs to be setup to talk to your RADIUS server, etc.)

Hope this helps,

New Member

Re: EAP-TLS doing only machine authentication

Thanx for the reply. If we use standalone CA how can AD distribute machine certifcates. As i knw we have to enroll manually and if we do manually whts shd be the CN field, shd it be the hostname or a fully qualified domain name. If using standalone CA and trusted in AD ,is there a option to do autoenrollment.

Cisco Employee

Re: EAP-TLS doing only machine authentication

auto-enrollment from AD can be an option for you. This should help:

<http://download.microsoft.com/download/b/0/e/b0e2a363-0044-4327-8f17-020818f57234/Wired_depl.doc>

245
Views
0
Helpful
5
Replies
CreatePlease login to create content