Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

eap-tls without active directory


i have a client who provides wireless access to separate entities in the same building.

Right now he's using LEAP and ACS database. Now he would like to move toward eap-tls because it's the most secured.

Usually, I install eap-tls within a active directory and distribute machine certificate via policy. Now the problem is that his laptops are not in a Active directory domain because they come from unrelated entities.

My idea was to use a fictionnal active directory just for the database purpose, and download machine certificate manually via the web. (the client gets his hand on each laptop to configure LEAP)

Does anybody have a bright idea to deploy machine certificate without active directory; I think that no matter what, we need a database.

Thank your for your suggestions.


Re: eap-tls without active directory

Since your customer is the control point, then putting in an AD under his control would be a good idea...he'd own the domain.

Perhaps you could partition the tree such that each of his customers is an OU, and set up each user as you normally would.

Define access according to the user's OU as a group.

I believe it would be a good way to go.

Without an AD, you can have the users acces the CA directly (http:///certsrv for a Microsoft CA)

OR, you did say your customer has access to the laptops for configuration, you could just install the certs manually when you set them up for EAP-TLS.

OR, if you can talk your customer into using EAP-FAST, it's also very secure and doesn't require a user-side certificate (and is compatible with wireless IP Phones, which EAP-TLS is not, AFAIK).

Good Luck


New Member

Re: eap-tls without active directory


The client certainly will not impose AD on his customers so I will just install the certificate manually and do machine authentication.

But the certificates certify a username. I tried setting that username in the ACS database but now what password should I use in ACS ??

I don't think the PC will send a password.

Do you think that could work ?

the pc says cn=host/test_pc and the ACS checks that and grants access provided they both trust the same CA ?

I think that the ACS will try to check the password of cn=host/test_pc if ACS has this username in its local database.

Thanks for your help.