https://community.cisco.com/t5/wireless/eap-tls-without-active-directory/m-p/705975#M11111 <P>hello, </P><P>i have a client who provides wireless access to separate entities in the same building.</P><P>Right now he's using LEAP and ACS database. Now he would like to move toward eap-tls because it's the most secured.</P><P></P><P>Usually, I install eap-tls within a active directory and distribute machine certificate via policy. Now the problem is that his laptops are not in a Active directory domain because they come from unrelated entities.</P><P></P><P>My idea was to use a fictionnal active directory just for the database purpose, and download machine certificate manually via the web. (the client gets his hand on each laptop to configure LEAP)</P><P></P><P></P><P>Does anybody have a bright idea to deploy machine certificate without active directory; I think that no matter what, we need a database.</P><P></P><P>Thank your for your suggestions.</P> Sat, 03 Jul 2021 20:16:46 GMT lionellemaire 2021-07-03T20:16:46Z https://community.cisco.com/t5/wireless/eap-tls-without-active-directory/m-p/705975#M11111 <P>hello, </P><P>i have a client who provides wireless access to separate entities in the same building.</P><P>Right now he's using LEAP and ACS database. Now he would like to move toward eap-tls because it's the most secured.</P><P></P><P>Usually, I install eap-tls within a active directory and distribute machine certificate via policy. Now the problem is that his laptops are not in a Active directory domain because they come from unrelated entities.</P><P></P><P>My idea was to use a fictionnal active directory just for the database purpose, and download machine certificate manually via the web. (the client gets his hand on each laptop to configure LEAP)</P><P></P><P></P><P>Does anybody have a bright idea to deploy machine certificate without active directory; I think that no matter what, we need a database.</P><P></P><P>Thank your for your suggestions.</P> Sat, 03 Jul 2021 20:16:46 GMT https://community.cisco.com/t5/wireless/eap-tls-without-active-directory/m-p/705975#M11111 lionellemaire 2021-07-03T20:16:46Z https://community.cisco.com/t5/wireless/eap-tls-without-active-directory/m-p/705976#M11112 <HTML><HEAD></HEAD><BODY><P>Since your customer is the control point, then putting in an AD under his control would be a good idea...he'd own the domain.</P><P></P><P>Perhaps you could partition the tree such that each of his customers is an OU, and set up each user as you normally would. </P><P></P><P>Define access according to the user's OU as a group. </P><P></P><P>I believe it would be a good way to go. </P><P></P><P>Without an AD, you can have the users acces the CA directly (<A class="jive-link-custom" href="http://" target="_blank">http://</A><HOSTNAME_OR_ADDRESS>/certsrv for a Microsoft CA)</HOSTNAME_OR_ADDRESS></P><P></P><P>OR, you did say your customer has access to the laptops for configuration, you could just install the certs manually when you set them up for EAP-TLS. </P><P></P><P>OR, if you can talk your customer into using EAP-FAST, it's also very secure and doesn't require a user-side certificate (and is compatible with wireless IP Phones, which EAP-TLS is not, AFAIK).</P><P></P><P>Good Luck</P><P></P><P>Scott</P><P></P><P></P><P></P></BODY></HTML> Sun, 26 Nov 2006 16:04:06 GMT https://community.cisco.com/t5/wireless/eap-tls-without-active-directory/m-p/705976#M11112 scottmac 2006-11-26T16:04:06Z https://community.cisco.com/t5/wireless/eap-tls-without-active-directory/m-p/705977#M11113 <HTML><HEAD></HEAD><BODY><P>Thanks,</P><P>The client certainly will not impose AD on his customers so I will just install the certificate manually and do machine authentication.</P><P></P><P>But the certificates certify a username. I tried setting that username in the ACS database but now what password should I use in ACS ?? </P><P></P><P>I don't think the PC will send a password. </P><P>Do you think that could work ? </P><P>the pc says cn=host/test_pc and the ACS checks that and grants access provided they both trust the same CA ? </P><P>I think that the ACS will try to check the password of cn=host/test_pc if ACS has this username in its local database.</P><P></P><P>Thanks for your help.</P></BODY></HTML> Tue, 28 Nov 2006 10:48:00 GMT https://community.cisco.com/t5/wireless/eap-tls-without-active-directory/m-p/705977#M11113 lionellemaire 2006-11-28T10:48:00Z