https://community.cisco.com/t5/network-access-control/how-to-authenticate-with-certificate/m-p/2552135#M89686 <P>We most typically do this in the context of implementing a product like Cisco's Identity Services Engine (ISE). ISE uses 802.1x and has the ability to check clients for things like a certificate during the authentication / posture assessment / remediation process.</P><P>It also acts as a RADIUS server and can dynamically push out Change of Authorization (CoA) to the authenticator (i.e switch or Wireless controller) in order to control things like client VLAN assignment and any access-lists you may want to apply.</P><P>On the client side, a supplicant is used to interact with the authenticator. You can use native supplicants from OS X or Windows etc. but we generally recommend use of Cisco's AnyConnect Secure Mobility client with its Network Access Module (NAM) as it's much more full-featured for that purpose.</P><P>You could also do 802.1x with certificate authentication and use a different backend authentication server (like a regular Cisco ACS or Microsoft Network Policy Server) but you would just get more basic authentication vs. the rich functionality ISE gives (albeit ISE costs a lot more <span class="lia-unicode-emoji" title=":winking_face:">😉</span> ).</P><P>Have a look at this Youtube video for an example of setting up certificate authentication on ACS:&nbsp;</P><P>&nbsp; &nbsp; &nbsp;https://www.youtube.com/watch?v=U7qWJ7bIMHA</P> Tue, 01 Jul 2014 03:29:25 GMT Marvin Rhoads 2014-07-01T03:29:25Z https://community.cisco.com/t5/network-access-control/how-to-authenticate-with-certificate/m-p/2552133#M89681 <P><EMBED height="0" id="xunlei_com_thunder_helper_plugin_d462f475-c18e-46be-bd10-327458d045bd" type="application/thunder_download_plugin" width="0">I wanna try to build a more secure LAN. I want every client (wired/wireless) to connect the network used a certificate not a user/password pair.</EMBED></P><P>But now, as i am a newbie, I don't know what to choose between TACACS+ and RADIUS. Because I have a Mac mini, maybe RADIUS is more suitable, but i don't know how to establish the CA.</P><P>Any help or suggestion will be appreciated!</P> Mon, 11 Mar 2019 04:50:24 GMT https://community.cisco.com/t5/network-access-control/how-to-authenticate-with-certificate/m-p/2552133#M89681 miaozhixu 2019-03-11T04:50:24Z https://community.cisco.com/t5/network-access-control/how-to-authenticate-with-certificate/m-p/2552134#M89684 <P>Refer " Certificate Authentication Profiles" from</P><P>http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html#18226</P> Tue, 01 Jul 2014 03:16:29 GMT https://community.cisco.com/t5/network-access-control/how-to-authenticate-with-certificate/m-p/2552134#M89684 Saurav Lodh 2014-07-01T03:16:29Z https://community.cisco.com/t5/network-access-control/how-to-authenticate-with-certificate/m-p/2552135#M89686 <P>We most typically do this in the context of implementing a product like Cisco's Identity Services Engine (ISE). ISE uses 802.1x and has the ability to check clients for things like a certificate during the authentication / posture assessment / remediation process.</P><P>It also acts as a RADIUS server and can dynamically push out Change of Authorization (CoA) to the authenticator (i.e switch or Wireless controller) in order to control things like client VLAN assignment and any access-lists you may want to apply.</P><P>On the client side, a supplicant is used to interact with the authenticator. You can use native supplicants from OS X or Windows etc. but we generally recommend use of Cisco's AnyConnect Secure Mobility client with its Network Access Module (NAM) as it's much more full-featured for that purpose.</P><P>You could also do 802.1x with certificate authentication and use a different backend authentication server (like a regular Cisco ACS or Microsoft Network Policy Server) but you would just get more basic authentication vs. the rich functionality ISE gives (albeit ISE costs a lot more <span class="lia-unicode-emoji" title=":winking_face:">😉</span> ).</P><P>Have a look at this Youtube video for an example of setting up certificate authentication on ACS:&nbsp;</P><P>&nbsp; &nbsp; &nbsp;https://www.youtube.com/watch?v=U7qWJ7bIMHA</P> Tue, 01 Jul 2014 03:29:25 GMT https://community.cisco.com/t5/network-access-control/how-to-authenticate-with-certificate/m-p/2552135#M89686 Marvin Rhoads 2014-07-01T03:29:25Z https://community.cisco.com/t5/network-access-control/how-to-authenticate-with-certificate/m-p/2552136#M89687 <P>Marvin<EMBED height="0" id="xunlei_com_thunder_helper_plugin_d462f475-c18e-46be-bd10-327458d045bd" type="application/thunder_download_plugin" width="0"></EMBED></P><P>&nbsp; &nbsp; Thanks a lot. You gave me a very detail answer! As I have checked the price of ISE, I will make a decision on building a TACACS+ Server from source on my poor Mac mini.</P><P>&nbsp;</P> Tue, 01 Jul 2014 05:17:29 GMT https://community.cisco.com/t5/network-access-control/how-to-authenticate-with-certificate/m-p/2552136#M89687 miaozhixu 2014-07-01T05:17:29Z https://community.cisco.com/t5/network-access-control/how-to-authenticate-with-certificate/m-p/2552137#M89688 <P><EMBED height="0" id="xunlei_com_thunder_helper_plugin_d462f475-c18e-46be-bd10-327458d045bd" type="application/thunder_download_plugin" width="0">"Certificate Authencation Profiles" just include detail on how to setup in MS Windows AD, but the "RADIUS Token identity sources" did help me a lot.</EMBED></P><P>Thanks very much!</P> Tue, 01 Jul 2014 11:19:31 GMT https://community.cisco.com/t5/network-access-control/how-to-authenticate-with-certificate/m-p/2552137#M89688 miaozhixu 2014-07-01T11:19:31Z