Showing results for 
Search instead for 
Did you mean: 

802.1x Authentication



Just looking for some more information on wired 802.1x authentication.  I currently run ACS 4.1, and I know that it can be integrated with AD for authentication purposes.  Does anyone have information on whether or not you can take it a step further & use CAC / smartcard authentication?  There's not much information that I can find about this topic, so anything posted is helpful!

Thanks -


4 Replies 4

Kent Heide

The ACS supports RSA among other things. What solution are you running?

We're currently using CAC authentication (Common Access Cards).  I did see that RSA is supported, but we don't use

RSA tokens right now.



With the CAC cards, don't you end up pointing to an LDAP to verify the certificate?  I would assume that all you'd need to do is make sure you have the

root and subordinate certs trusted in ACS then point to an LDAP as the external directory (instead of AD) where you can verify the certs.

HOWEVER, my experience with 802.1x and ACS (limited as it may be) has been that you still need a supplicant on the client side to handle the certificate auth communication.

Jatin Katyal
Cisco Employee
Cisco Employee


CAC authentication will be done via EAP-TLS on the ACS.  Here is a configuration example and the EAP-TLS configuration guide for ACS:

How do I use a CAC

Certificates are stored on the chip embedded in the Common Access Card (CAC). The chip also contains a processor, which responds to two protocols, PKCS#11 and Microsoft CAPI. To use a CAC, the workstation must have a smart card reader installed and must have  software installed that enables the interaction between the application and the CAC, called middleware. The installation of smart card readers and middleware is the responsibility of
the command that controls the workstation configuration. Once the reader and middleware have been installed, some applications, including Microsoft
Outlook and Microsoft Internet Explorer, require configuration to install the certificates from the smart card into the application. The private keys never leave the card, but the configuration step tells the application that the private key associated with the certificate can be found on the CAC. This configuration is also the responsibility of the command that controls the workstation configuration, but requires that the card be present in the card reader to perform the configuration. After the workstation is configured, using the CAC involves putting the card in the reader prior to use, and using the user interface provided by the PK-Enabled client application to sign, decrypt, or identify yourself to PK-Enabled information systems. The CAC must be unlocked prior to use by entering the PIN when requested. If the PIN is entered incorrectly four times in a row, the CAC will lock and require a visit to a RAPIDS terminal or a CAC
PIN Reset station for unlocking.



Do rate helpful posts-

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: