Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3104
Views
13
Helpful
6
Replies

Cisco ACS, Multiple CA, VLAN assignment relevant to domain

Go to solution
Rob Simkins
Level 1
Level 1

‎11-16-2010 06:39 AM - edited ‎03-10-2019 05:34 PM

HI all,

I've been looking for a solution to a specific customer requirement.

I'd like to authenticate wireless users with certificates from different RootCA's and assign them to a VLAN based on their domain?  Ideally using the same SSID and a Cisco ACS server.

Is it possible?  Anyone seen it working?

I realise that ACS can have enterprise trust for the relevant RootCA (not sure which version is required for this?).  And that VLAN assignment is also possible from a single SSID based on RADIUS attributes.  But I'm not certain that these pieces would all fit together?!

Would really appreciate some guidance!

Thanks in advance

Rob

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎11-16-2010 01:01 PM

Hi,

Yes all of this is possible. I would suggest you implement them one by one to make sure all is working but there is no issue in doing this. All recent versions of ACS allow this.

You can do group mapping based on AD groups (so a group for each domain if you want) and assign vlan based on this group mapping.

The ACS can trust multiple CAs and authenticate users presenting certificates from all those CAs. It's just a matter of importing those CAs certificate in the trust list.

And you can assign the vlan and only use one ssid as well.

I can't guide you on the procedure as this depends what versions you have and if you have IOS ap or WLC but it's basically every separate feature as in the config guide and just used all together.

Nicolas

===

Don't forget to rate answers that you find useful

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎11-16-2010 01:01 PM

Hi,

Yes all of this is possible. I would suggest you implement them one by one to make sure all is working but there is no issue in doing this. All recent versions of ACS allow this.

You can do group mapping based on AD groups (so a group for each domain if you want) and assign vlan based on this group mapping.

The ACS can trust multiple CAs and authenticate users presenting certificates from all those CAs. It's just a matter of importing those CAs certificate in the trust list.

And you can assign the vlan and only use one ssid as well.

I can't guide you on the procedure as this depends what versions you have and if you have IOS ap or WLC but it's basically every separate feature as in the config guide and just used all together.

Nicolas

===

Don't forget to rate answers that you find useful

0 Helpful

Go to solution
Rob Simkins
Level 1
Level 1
In response to Nicolas Darchis

‎11-17-2010 08:26 AM

Thanks for the reply Nicolas - thats really helpful

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to Rob Simkins

‎11-17-2010 09:25 AM

The ACS STILL does not support having more than one certificate loaded on the ACS, so you won't be able to do actual mutual certificate validation with multiple CA's when using EAP-TLS with machine/user certs. PEAP with just basic root trust will be fine for multiple CA's.

Jan

Go to solution
Rob Simkins
Level 1
Level 1
In response to jan.nielsen

‎11-17-2010 03:51 PM

HI Jan,

Thanks also for your info, which again is very helpful for the design.

Are there any other RADIUS servers that support multiple CA's for TLS-based client auth that you are aware of?

If there is a one-to-one relationship betwen CA and RADIUS for TLS then thats fine, I'd just like to make sure.

Regards,

Rob

0 Helpful

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee
In response to jan.nielsen

‎11-17-2010 11:38 PM

Hi,

What Jan wrote is not entirely true.

ACS only uses one cert for its own use (web browser and certificate authentication), however ACS supports multiple CAs for client authentication with EAP-TLS.

In a situation of mutual authentication, the clients need to trust the unique ACS cert, but the each client can use a cert issued by a diferent CA as long the ACS trusts it.

You just need to add the multiple CA certs on the ACS under

Users and Identity Stores > Certificate Authorities

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Go to solution
clutchgp13
Level 1
Level 1
In response to Tiago Antunes

‎01-19-2011 01:21 PM

This post makes me question my stance as well, up until now I've agreed with Jan in that I have have had no success trusting certificates from two different Root CA's.

Is there something I'm missing?  I have both roots and all subca certificates imported into Users and Identity Stores > Certificate Authorities and each one has the Trust for client with EAP-TLS: option checked. Still didn't work, and then in troubleshooting I noticed the following:

The option that seemed to decide which certificate chain would be trusted is System Administration > Local Certificates, this area only allows me to select one single certificate for protocol EAP, and this is supported by the fact that the certificates from the Root CA specified here do work while the other does not.

0 Helpful
Customers Also Viewed These Support Documents