Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1248
Views
5
Helpful
1
Replies

802.1x with EAP-TLS and dACLs

g.raymakers
Level 1
Level 1

‎11-30-2010 11:37 AM - edited ‎03-10-2019 05:37 PM

Hi,

i'm looking to enable 802.1x on the wired network using EAP-TLS. The radius server will be an ACS5.2 running on the appliance. We'd also need some authorization for different machines - we'd like to use dACLs for that so that machine A will get full access while machine B will get restricted access (both client machines are related to different business units). So machine based auth (clients run XP SP3 or Vista).

I'm not very clear about the following...based on the presented client machine certificate, we should be able to apply an authorization policy (dACL). How can we set this up...anyone else tried this before?

in 'worst'  case we could do machine auth (EAP-TLS) to validate it's a corporate machine connecting, followed by user authentication & authorization (EAP-PEAP) to apply access policies based on the user id..with PEAP is see it might be easier to extract user info out of AD to make policy decision...?

Thanks,

Guy

Labels:
0 Helpful
1 Reply 1

Federico Lovison
Cisco Employee
Cisco Employee

‎12-10-2010 12:54 AM

Hi Guy,

provided that the dACL is just part of the Authorization profile that you return to the client, you need to make sure that you have the correct attributes so to allow the authorization policy evaluation.

In ACS 5 when you configure a "Certificate Authentication Profile", the basic option is just to validate the client certificate.

So as long as ACS can validate the cert using the trusted CA certificates installed on ACS, the authentication is successful.

However, if you do so the only attributes you can base your authorization policy evaluation are the non-binary attributes of the certificate itself, as there's no query done to any backend DB in this case.

If you want to evaluate the authorization policy where you want to check for additional attributes that are stored on an external DB (e.g. Active Directory), you can do it in two ways:

1) enable certificate binary comparison on the "Certificate Authentication Profile": this will both perform the binary comparison of the cert and it will fetch the user attributes from AD; this of course requires that the certificate for the user is also stored on the "userCertificate" attribute in Active Directory.

2) configure an "Indentity Store Sequence" where you select:

  - Authentication Method List : Certificate based : "Certificate Authentication Profile"

  - Additional Attribute Retrieval Search List : Add "AD1" among the selected Identity Stores

In this case ACS won't perform binary comparison of the cert, but it will look for the corresponding user account in AD so to fetch additional attributes (group membership, etc..)

You can find relevant documentation about this on the ACS user guide:

- Configuring "Certificate Authentication Profile"

http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1054057

- Configuring "Identity Store Sequence"

http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1054132

- Managing policy elements:

http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/pol_elem.html

I hope this helps.

Regards,

Federico

--
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

Customers Also Viewed These Support Documents