https://community.cisco.com/t5/network-access-control/acs-5-2-eap-tls-user-accounts/m-p/1553968#M288582 <P>Hello,</P><P></P><P>I have a project to deploy dot1x wireless using using certificate authentication only - ie, once a certificate is presented to the ACS that is issued by a trusted CA, the connection is permitted.</P><P></P><P>So no further checking of user/machine credentials required.</P><P></P><P>My question is, in this case, is there any requirement for user accounts to be defined on the ACS?&nbsp; From the documentation it isn't clear.&nbsp; I am expecting that the ACS will extract the username from the certificate CN or SAN for reporting purposes, and add them as a dynamic user, so no need to define user accounts.&nbsp; The clients will be varying - anything from handheld devices to Windows machines.</P><P></P><P>Do I have this right?</P><P></P><P>Thanks,</P><P></P><P>Paul</P> Mon, 11 Mar 2019 00:33:41 GMT paul_murphy 2019-03-11T00:33:41Z https://community.cisco.com/t5/network-access-control/acs-5-2-eap-tls-user-accounts/m-p/1553968#M288582 <P>Hello,</P><P></P><P>I have a project to deploy dot1x wireless using using certificate authentication only - ie, once a certificate is presented to the ACS that is issued by a trusted CA, the connection is permitted.</P><P></P><P>So no further checking of user/machine credentials required.</P><P></P><P>My question is, in this case, is there any requirement for user accounts to be defined on the ACS?&nbsp; From the documentation it isn't clear.&nbsp; I am expecting that the ACS will extract the username from the certificate CN or SAN for reporting purposes, and add them as a dynamic user, so no need to define user accounts.&nbsp; The clients will be varying - anything from handheld devices to Windows machines.</P><P></P><P>Do I have this right?</P><P></P><P>Thanks,</P><P></P><P>Paul</P> Mon, 11 Mar 2019 00:33:41 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-eap-tls-user-accounts/m-p/1553968#M288582 paul_murphy 2019-03-11T00:33:41Z https://community.cisco.com/t5/network-access-control/acs-5-2-eap-tls-user-accounts/m-p/1553969#M288583 <HTML><HEAD></HEAD><BODY><P>No need to create a user account</P><P>BTW In ACS 5 the concept of a dynamic user does not apply</P></BODY></HTML> Wed, 10 Nov 2010 06:56:09 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-eap-tls-user-accounts/m-p/1553969#M288583 jrabinow 2010-11-10T06:56:09Z https://community.cisco.com/t5/network-access-control/acs-5-2-eap-tls-user-accounts/m-p/1553970#M288585 <HTML><HEAD></HEAD><BODY><P>Thanks</P><P></P><P>So is it really as simple as this:</P><P></P><P>1) Define the network clients: APs / WLCs + radius stuff</P><P>2) Issue cert to ACS</P><P>3) Install internal CA cert and mark as trusted</P><P>4) Enable EAP-TLS as the authentication mechanism</P><P></P><P>Cheers,</P><P></P><P>Paul</P></BODY></HTML> Wed, 10 Nov 2010 09:30:24 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-eap-tls-user-accounts/m-p/1553970#M288585 paul_murphy 2010-11-10T09:30:24Z https://community.cisco.com/t5/network-access-control/acs-5-2-eap-tls-user-accounts/m-p/1553971#M288591 <HTML><HEAD></HEAD><BODY><P>Hi Paul,</P><P></P><P>Yes, in a nutshel that's all what is needed.</P><P></P><P>HTH,<BR />Tiago</P><P></P><DIV class="jive-rendered-content"><DIV class="jive-rendered-content"><P>--</P><P>If&nbsp; this helps you and/or answers your question please mark the question as&nbsp; "answered" and/or rate it, so other users can easily find it.</P></DIV></DIV></BODY></HTML> Wed, 10 Nov 2010 09:56:33 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-eap-tls-user-accounts/m-p/1553971#M288591 Tiago Antunes 2010-11-10T09:56:33Z