06-02-2018 08:13 AM - edited 02-21-2020 10:57 AM
Folks,
We are looking at some help on certificate based authentication on our Cisco 3850 for LAN based authentication. The authentication feature is planned to be rolled out only on ports which are in the user VLAN and for other ports we would use MAC based authentication. We are going to authenticate against ACS 5.5.
Any suggestions on proceeding with this. I had received some solutions initially but all we see on the ACS is some MAC address trying to authenticate. The does not succeed.
Please provide me with some suggestions on getting this going.
Regards,
N!!
06-02-2018 08:19 PM
ACS 5.5 has reached its last date of support, per End-of-Sale and End-of-Life Announcement for the Cisco Secure Access Control System 5.5. ACS 5.8 has reached End of Sale and is only a couple of months away until the end of software maintenance. Thus, please plan on migrating to ISE by reviewing the info @ http://cs.co/acstoise
In order for an endpoint to perform certificate-based 802.1X, the endpoint needs an identity/personal certificate suitable for EAP-TLS client authentication and the 802.1X supplicant on the endpoint OS configured to do so. Certificates / Private Key Infrastructure (PKI) has several materials for reference.
06-03-2018 12:43 AM
Yes, we are aware on the EoL for the Cisco ACS. However, the replacement plans are futuristic. As an immediate need I actually need to get in some security on my existing infrastructure so looking at help in that.
Could someone please provide some guidelines on 802.1x security with use of certificates on Cisco 3850 switches with the ACS please?
06-03-2018 07:02 AM
The configuration on the client side is the same for ISE and ACS. For ACS configuration, please check out the following:
Solved: 802.1x EAP-TLS for wired users with ACS... - Cisco Support Community
Lab Minutes has several videos on ACS —> Video: Security - ACS | Lab Minutes
04-09-2019 11:32 PM
Hi,
May i knw whether "aaa authorization network" cmd will affect anything currently in the switch like telnet, ssh,etc? Do i really need these 2 cmd below for 802.1x authentication with radius server? or "aaa authentication 802.1x..." is sufficient?
awitch(Config)# aaa authorization network default group radius
Switch(Config)# aaa accounting dot1x default start-stop group radius
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide