Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

EAP-TLS match on custom EKU with ACS 5.5

Hi,

 

is there any possibility to match on a custom EKU with ACS 5.5?

I have to create a solution to limit access to a specific WLAN SSID. Only certificates containing a specific, self-created EKU should have access to this SSID. Other certificates from the same CA should be denied.

I know that it's possible with Microsoft NPS but I would prefer a solution with ACS. But in ACS the ceritifcate dictionary contains only a few attributes i.e. common name, issuer, subject, but not the Enhanced Key Usage  (EKU).

Any suggestions?

 

Thanks,

Werner

  • AAA Identity and NAC
Everyone's tags (6)
2 REPLIES

Object Identifier Check for


Object Identifier Check for EAP-TLS Authentication

ACS can compare the OID against the Enhanced Key Usage (EKU) field in the user's certificate. ACS denies access if the OID and EKU do not match. For more information about options, see Authentication for profile_name Page, page 14-46.

When OID comparison is enabled and a valid OID string is entered, all the certificates that the users present for EAP-TLS authentication are checked against the OIDs entered. Authentication will be successful only if the OIDs match. If OID comparison is enabled but the user certificate presented does not contain any OID in the EKU field, authentication will fail.

To enable OID comparison you must:

Enable EAP-TLS from the NAP page.

Enter only contain numbers, dots, commas and spaces in the OID strings, for example: 1.3.6.1.5.5.7.3.2 is a valid OID string.

Enter multiple OIDs as comma-separated values. For example: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2 is a valid string.

Thanks for your Response

Thanks for your Response!

Sorry, I did not mention, I'm running ACS version 5.4. So there is no NAP page. Is there a way for ACS 5.4, too?

 

Thanks
 

135
Views
0
Helpful
2
Replies
This widget could not be displayed.