11-16-2010 06:39 AM - edited 03-10-2019 05:34 PM
HI all,
I've been looking for a solution to a specific customer requirement.
I'd like to authenticate wireless users with certificates from different RootCA's and assign them to a VLAN based on their domain? Ideally using the same SSID and a Cisco ACS server.
Is it possible? Anyone seen it working?
I realise that ACS can have enterprise trust for the relevant RootCA (not sure which version is required for this?). And that VLAN assignment is also possible from a single SSID based on RADIUS attributes. But I'm not certain that these pieces would all fit together?!
Would really appreciate some guidance!
Thanks in advance
Rob
Solved! Go to Solution.
11-16-2010 01:01 PM
Hi,
Yes all of this is possible. I would suggest you implement them one by one to make sure all is working but there is no issue in doing this. All recent versions of ACS allow this.
You can do group mapping based on AD groups (so a group for each domain if you want) and assign vlan based on this group mapping.
The ACS can trust multiple CAs and authenticate users presenting certificates from all those CAs. It's just a matter of importing those CAs certificate in the trust list.
And you can assign the vlan and only use one ssid as well.
I can't guide you on the procedure as this depends what versions you have and if you have IOS ap or WLC but it's basically every separate feature as in the config guide and just used all together.
Nicolas
===
Don't forget to rate answers that you find useful
11-16-2010 01:01 PM
Hi,
Yes all of this is possible. I would suggest you implement them one by one to make sure all is working but there is no issue in doing this. All recent versions of ACS allow this.
You can do group mapping based on AD groups (so a group for each domain if you want) and assign vlan based on this group mapping.
The ACS can trust multiple CAs and authenticate users presenting certificates from all those CAs. It's just a matter of importing those CAs certificate in the trust list.
And you can assign the vlan and only use one ssid as well.
I can't guide you on the procedure as this depends what versions you have and if you have IOS ap or WLC but it's basically every separate feature as in the config guide and just used all together.
Nicolas
===
Don't forget to rate answers that you find useful
11-17-2010 08:26 AM
Thanks for the reply Nicolas - thats really helpful
11-17-2010 09:25 AM
The ACS STILL does not support having more than one certificate loaded on the ACS, so you won't be able to do actual mutual certificate validation with multiple CA's when using EAP-TLS with machine/user certs. PEAP with just basic root trust will be fine for multiple CA's.
Jan
11-17-2010 03:51 PM
HI Jan,
Thanks also for your info, which again is very helpful for the design.
Are there any other RADIUS servers that support multiple CA's for TLS-based client auth that you are aware of?
If there is a one-to-one relationship betwen CA and RADIUS for TLS then thats fine, I'd just like to make sure.
Regards,
Rob
11-17-2010 11:38 PM
Hi,
What Jan wrote is not entirely true.
ACS only uses one cert for its own use (web browser and certificate authentication), however ACS supports multiple CAs for client authentication with EAP-TLS.
In a situation of mutual authentication, the clients need to trust the unique ACS cert, but the each client can use a cert issued by a diferent CA as long the ACS trusts it.
You just need to add the multiple CA certs on the ACS under
Users and Identity Stores > | ... > | Certificate Authorities |
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-19-2011 01:21 PM
This post makes me question my stance as well, up until now I've agreed with Jan in that I have have had no success trusting certificates from two different Root CA's.
Is there something I'm missing? I have both roots and all subca certificates imported into Users and Identity Stores > Certificate Authorities and each one has the Trust for client with EAP-TLS: option checked. Still didn't work, and then in troubleshooting I noticed the following:
The option that seemed to decide which certificate chain would be trusted is System Administration > Local Certificates, this area only allows me to select one single certificate for protocol EAP, and this is supported by the fact that the certificates from the Root CA specified here do work while the other does not.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide