https://community.cisco.com/t5/wireless/eap-tls-with-machine-certificate/m-p/2283751#M10609 <HTML><HEAD></HEAD><BODY><P>Thank you all!</P></BODY></HTML> Sun, 06 Oct 2013 04:59:38 GMT Derrick Robba 2013-10-06T04:59:38Z https://community.cisco.com/t5/wireless/eap-tls-with-machine-certificate/m-p/2283745#M10603 <P>Hello all,</P><P>I'm looking for a solution to authenticate both machine and wireless users. I've been finding out solutions like EAP-TLS using the machine certificate to stablished the tunnel and authenticating user credentials (LDAP store) over this tunnel. Now i want to know if is possible to use this configuration using an ACS Radius servers and what SOs are supported to do this without external supplicants (Windows XP, Windows 7, Windows 8, iOs, Android...).</P><P><BR />Thanks a lot.</P><P>Best regards.</P> Sun, 04 Jul 2021 07:41:56 GMT https://community.cisco.com/t5/wireless/eap-tls-with-machine-certificate/m-p/2283745#M10603 ALFONSO MONEO VILORIA 2021-07-04T07:41:56Z https://community.cisco.com/t5/wireless/eap-tls-with-machine-certificate/m-p/2283746#M10604 <HTML><HEAD></HEAD><BODY><P style="margin-top: px; margin-bottom: px; line-height: normal;">Hi Alfonso,&nbsp; </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;"><STRONG>Certificate Retrieval for EAP-TLS Authentication </STRONG> </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">ACS 5.4 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol. The user or machine record on AD includes a certificate attribute of binary data type. This can contain one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to configure any other name for this attribute.&nbsp; </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">ACS retrieves this certificate for verifying the identity of the user or machine. The certificate authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other name) to be used for retrieving the certificates.&nbsp; </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, ACS compares the certificates to check if one of them match. When a match is found, ACS grants the user or machine access to the network.&nbsp; </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;"><STRONG>Configuring CA Certificates </STRONG> </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate.&nbsp; </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">If ACS does not trust the client's CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates.&nbsp; </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs).&nbsp; </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems.&nbsp; </P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate</P><P></P><P style="margin-top: px; margin-bottom: px; line-height: normal;">Also check the below link,&nbsp;&nbsp; </P><P style="margin-top: px; margin-bottom: px; line-height: normal;"><A href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404</A></P></BODY></HTML> Tue, 03 Sep 2013 16:09:58 GMT https://community.cisco.com/t5/wireless/eap-tls-with-machine-certificate/m-p/2283746#M10604 Anas Naqvi 2013-09-03T16:09:58Z https://community.cisco.com/t5/wireless/eap-tls-with-machine-certificate/m-p/2283747#M10605 <HTML><HEAD></HEAD><BODY><P>Hello Anas,</P><P>thanks a lot for your response. I've finally discarded the idea of implement 2 authentications because I think that EAP-CHAINING (with ISE) is the only way to do really this.</P><P>Now, I'm going to implement only one authentication process based on machine certificate for Windows, Android and iOS using EAP-TLS.</P><P>Your help will be very useful to do this!.</P><P><BR />Best regards,</P><P>Alfonso Moneo</P></BODY></HTML> Mon, 30 Sep 2013 11:17:03 GMT https://community.cisco.com/t5/wireless/eap-tls-with-machine-certificate/m-p/2283747#M10605 ALFONSO MONEO VILORIA 2013-09-30T11:17:03Z https://community.cisco.com/t5/wireless/eap-tls-with-machine-certificate/m-p/2283748#M10606 <HTML><HEAD></HEAD><BODY><P>Will a machine cert work in 5.3?<BR /><BR />Sent from Cisco Technical Support iPad App</P></BODY></HTML> Sat, 05 Oct 2013 18:32:11 GMT https://community.cisco.com/t5/wireless/eap-tls-with-machine-certificate/m-p/2283748#M10606 Derrick Robba 2013-10-05T18:32:11Z https://community.cisco.com/t5/wireless/eap-tls-with-machine-certificate/m-p/2283749#M10607 <HTML><HEAD></HEAD><BODY><P>If you are talking about ACS 5.3, yes it supports EAP-TLS which does requires a machine certificate. It's supported in most of the v4.x and v5.c of ACS.<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Sun, 06 Oct 2013 03:24:26 GMT https://community.cisco.com/t5/wireless/eap-tls-with-machine-certificate/m-p/2283749#M10607 Scott Fella 2013-10-06T03:24:26Z https://community.cisco.com/t5/wireless/eap-tls-with-machine-certificate/m-p/2283750#M10608 <HTML><HEAD></HEAD><BODY><P>Yes With EAP-TLS we should have machine cert installed on the end-client and ACS 5.3 does support.</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1170404">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1170404</A></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Sun, 06 Oct 2013 03:34:37 GMT https://community.cisco.com/t5/wireless/eap-tls-with-machine-certificate/m-p/2283750#M10608 Jatin Katyal 2013-10-06T03:34:37Z https://community.cisco.com/t5/wireless/eap-tls-with-machine-certificate/m-p/2283751#M10609 <HTML><HEAD></HEAD><BODY><P>Thank you all!</P></BODY></HTML> Sun, 06 Oct 2013 04:59:38 GMT https://community.cisco.com/t5/wireless/eap-tls-with-machine-certificate/m-p/2283751#M10609 Derrick Robba 2013-10-06T04:59:38Z