Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
0
Helpful
3
Replies

ACS 5.2 allow only specified client cert

Go to solution
Dominic Stalder (old profile)
Level 4
Level 4

‎09-21-2011 08:47 AM - edited ‎03-10-2019 06:25 PM

Hi there

I would like to implement a policy, where I specify which client cert (CN name) is allowed. Let's say we have 2 SSID's and 2 different client certs:

- client1.domain.com should only be allowed to connect to SSID1

- client2.domain.com should only be allowed do connect to SSID2

Both SSID's use machine certs for EAP-TLS and both certs are issued by the same CA cert. Does anybody know how to specify this in ACS 5.2?

Thanks in advance and best regards

Dominic

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7

‎09-21-2011 09:20 AM

This should be possible

You can make conditions based on the CN name as follows:

- Create a custom conditon. Policy Elements > Session Conditions > Custom. Select "Certificate Dictionary" and attribute "Common Name". Give it a name. Once you do this you can create a condition based on this in policies

Do you have a RADIUS attribute to extract the SSID? Is it in the "“Called-Station-ID" field

Then create authorization policy:

- If "Common Name" equals "client1.domain.com"  and "SSID" equals SSID1  then "Allow Access"

- If "Common Name" equals "client1.domain.com"  and "SSID" equals "Any"  then "Deny Access"

- If "Common Name" equals "client2.domain.com"  and "SSID" equals SSID2  then "Allow Access"

- If "Common Name" equals "client2.domain.com"  and "SSID" equals "Any"  then "Deny Access"

View solution in original post

0 Helpful
3 Replies 3

Go to solution
jrabinow
Level 7
Level 7

‎09-21-2011 09:20 AM

This should be possible

You can make conditions based on the CN name as follows:

- Create a custom conditon. Policy Elements > Session Conditions > Custom. Select "Certificate Dictionary" and attribute "Common Name". Give it a name. Once you do this you can create a condition based on this in policies

Do you have a RADIUS attribute to extract the SSID? Is it in the "“Called-Station-ID" field

Then create authorization policy:

- If "Common Name" equals "client1.domain.com"  and "SSID" equals SSID1  then "Allow Access"

- If "Common Name" equals "client1.domain.com"  and "SSID" equals "Any"  then "Deny Access"

- If "Common Name" equals "client2.domain.com"  and "SSID" equals SSID2  then "Allow Access"

- If "Common Name" equals "client2.domain.com"  and "SSID" equals "Any"  then "Deny Access"

0 Helpful

Go to solution
Dominic Stalder (old profile)
Level 4
Level 4
In response to jrabinow

‎09-21-2011 09:53 AM

Hi jrabinow

thanks a lot for your very quick response - I will try this next week when I am onsite again and will update this thread.

I extract the SSID with a "end station filter" (link to the thread where I got the information from:

https://supportforums.cisco.com/message/3231646).

Best regards

Dominic

0 Helpful

Go to solution
ewood2624
Level 5
Level 5
In response to Dominic Stalder (old profile)

‎09-21-2011 10:02 PM

Why not use a single SSID and use dynamic vlan assignments to allow only certain clients to go to certain wlans? You can use the end station filters as a Mac list and set up a policy to restrict them to certain wlans.

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents