06-30-2014 06:30 AM - edited 03-10-2019 09:50 PM
But now, as i am a newbie, I don't know what to choose between TACACS+ and RADIUS. Because I have a Mac mini, maybe RADIUS is more suitable, but i don't know how to establish the CA.
Any help or suggestion will be appreciated!
Solved! Go to Solution.
06-30-2014 08:29 PM
We most typically do this in the context of implementing a product like Cisco's Identity Services Engine (ISE). ISE uses 802.1x and has the ability to check clients for things like a certificate during the authentication / posture assessment / remediation process.
It also acts as a RADIUS server and can dynamically push out Change of Authorization (CoA) to the authenticator (i.e switch or Wireless controller) in order to control things like client VLAN assignment and any access-lists you may want to apply.
On the client side, a supplicant is used to interact with the authenticator. You can use native supplicants from OS X or Windows etc. but we generally recommend use of Cisco's AnyConnect Secure Mobility client with its Network Access Module (NAM) as it's much more full-featured for that purpose.
You could also do 802.1x with certificate authentication and use a different backend authentication server (like a regular Cisco ACS or Microsoft Network Policy Server) but you would just get more basic authentication vs. the rich functionality ISE gives (albeit ISE costs a lot more ;) ).
Have a look at this Youtube video for an example of setting up certificate authentication on ACS:
https://www.youtube.com/watch?v=U7qWJ7bIMHA
06-30-2014 08:16 PM
Refer " Certificate Authentication Profiles" from
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html#18226
07-01-2014 04:19 AM
Thanks very much!
06-30-2014 08:29 PM
We most typically do this in the context of implementing a product like Cisco's Identity Services Engine (ISE). ISE uses 802.1x and has the ability to check clients for things like a certificate during the authentication / posture assessment / remediation process.
It also acts as a RADIUS server and can dynamically push out Change of Authorization (CoA) to the authenticator (i.e switch or Wireless controller) in order to control things like client VLAN assignment and any access-lists you may want to apply.
On the client side, a supplicant is used to interact with the authenticator. You can use native supplicants from OS X or Windows etc. but we generally recommend use of Cisco's AnyConnect Secure Mobility client with its Network Access Module (NAM) as it's much more full-featured for that purpose.
You could also do 802.1x with certificate authentication and use a different backend authentication server (like a regular Cisco ACS or Microsoft Network Policy Server) but you would just get more basic authentication vs. the rich functionality ISE gives (albeit ISE costs a lot more ;) ).
Have a look at this Youtube video for an example of setting up certificate authentication on ACS:
https://www.youtube.com/watch?v=U7qWJ7bIMHA
06-30-2014 10:17 PM
Marvin
Thanks a lot. You gave me a very detail answer! As I have checked the price of ISE, I will make a decision on building a TACACS+ Server from source on my poor Mac mini.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: