Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1042
Views
5
Helpful
4
Replies

How to authenticate with certificate?

Go to solution
miaozhixu
Level 1
Level 1

‎06-30-2014 06:30 AM - edited ‎03-10-2019 09:50 PM

I wanna try to build a more secure LAN. I want every client (wired/wireless) to connect the network used a certificate not a user/password pair.

But now, as i am a newbie, I don't know what to choose between TACACS+ and RADIUS. Because I have a Mac mini, maybe RADIUS is more suitable, but i don't know how to establish the CA.

Any help or suggestion will be appreciated!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-30-2014 08:29 PM

We most typically do this in the context of implementing a product like Cisco's Identity Services Engine (ISE). ISE uses 802.1x and has the ability to check clients for things like a certificate during the authentication / posture assessment / remediation process.

It also acts as a RADIUS server and can dynamically push out Change of Authorization (CoA) to the authenticator (i.e switch or Wireless controller) in order to control things like client VLAN assignment and any access-lists you may want to apply.

On the client side, a supplicant is used to interact with the authenticator. You can use native supplicants from OS X or Windows etc. but we generally recommend use of Cisco's AnyConnect Secure Mobility client with its Network Access Module (NAM) as it's much more full-featured for that purpose.

You could also do 802.1x with certificate authentication and use a different backend authentication server (like a regular Cisco ACS or Microsoft Network Policy Server) but you would just get more basic authentication vs. the rich functionality ISE gives (albeit ISE costs a lot more ;) ).

Have a look at this Youtube video for an example of setting up certificate authentication on ACS: 

     https://www.youtube.com/watch?v=U7qWJ7bIMHA

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Saurav Lodh
Level 7
Level 7

‎06-30-2014 08:16 PM

Refer " Certificate Authentication Profiles" from

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html#18226

Go to solution
miaozhixu
Level 1
Level 1
In response to Saurav Lodh

‎07-01-2014 04:19 AM

"Certificate Authencation Profiles" just include detail on how to setup in MS Windows AD, but the "RADIUS Token identity sources" did help me a lot.

Thanks very much!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-30-2014 08:29 PM

We most typically do this in the context of implementing a product like Cisco's Identity Services Engine (ISE). ISE uses 802.1x and has the ability to check clients for things like a certificate during the authentication / posture assessment / remediation process.

It also acts as a RADIUS server and can dynamically push out Change of Authorization (CoA) to the authenticator (i.e switch or Wireless controller) in order to control things like client VLAN assignment and any access-lists you may want to apply.

On the client side, a supplicant is used to interact with the authenticator. You can use native supplicants from OS X or Windows etc. but we generally recommend use of Cisco's AnyConnect Secure Mobility client with its Network Access Module (NAM) as it's much more full-featured for that purpose.

You could also do 802.1x with certificate authentication and use a different backend authentication server (like a regular Cisco ACS or Microsoft Network Policy Server) but you would just get more basic authentication vs. the rich functionality ISE gives (albeit ISE costs a lot more ;) ).

Have a look at this Youtube video for an example of setting up certificate authentication on ACS: 

     https://www.youtube.com/watch?v=U7qWJ7bIMHA

0 Helpful

Go to solution
miaozhixu
Level 1
Level 1
In response to Marvin Rhoads

‎06-30-2014 10:17 PM

Marvin

    Thanks a lot. You gave me a very detail answer! As I have checked the price of ISE, I will make a decision on building a TACACS+ Server from source on my poor Mac mini.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents