08-27-2008 02:01 AM - edited 03-10-2019 04:03 PM
Hi Guys,
I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.
Let say both user and computer certs are employed:
1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.
2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?
2b. Wot is the paramater that is checked against the AD database?
I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517
Client Certificates
Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:
CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.
SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.
Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?
Please can someone help me with these points.
I am so lost in this stuff :)) I think.
Many thx and many kind regards,
Ken
Solved! Go to Solution.
08-28-2008 07:48 AM
Just out of interest, the pass was on an internal ACS DB correct and the fail was on an external DB?
Just as one said consulting the external DB and one did not?
Ta fella
Ken
08-28-2008 08:01 AM
When authentication passed the userid was on Ext. database (AD). I see where you are looking, the ACS debugs somehow did not provided enough information, when it actually checked against the AD database. But the userid was on AD.
Another, proof that user was checked against the AD is, the user ID would be cached dynamically on the ACS database, under "User Setup" section on ACS, and its password authentication would be automatically selected as "Windows Database".
HTH
Regards,
Prem
08-28-2008 11:47 PM
thx man, take care and thx for the huge help here.
Ken
03-03-2009 08:38 AM
Hey Prem, and all,
Long time no speak.
Saw this thread and thought this was very cool :))
I have one last question here.
On the ACS, there is the concept of using setting username during authentication.
Select one of the following options for setting username during authentication:
Use Outer Identity
Use CN as Identity
Use SAN as Identity
I dont fully understand this part of the eap-tls setup, as you are setting the comparison type before these options, ie just above on the ACS where you use CN/SAN/Binary?
Cany anyone confirm what this bit actually does?
Many thx indeed,
Kind regards,
Ken
03-03-2009 02:24 PM
Some related documentation:
You can specify which user identity ACS uses when sending an authentication request after the EAP-TLS authentication handshake is completed. use this option to search for a user in the database based on the identity you chose. By default, outer identity is used for EAP-TLS authentication. Select one of the following options:
â¢Use Outer Identity-The outer identity is taken as the username to search for in the database.
â¢Use CN as Identity-The Certificate Name is taken as the username to search for in the database.
â¢Use SAN as Identity- The Subject Alternative Name from the user certificate is taken as the username to search for in the database.
Note SAN and CN outer identities cannot be used for EAP TLS machine authentication.
03-04-2009 02:02 AM
Hi There,
I am really sorry her, that I dont understand.
So, the way I understand it to work.
EAP-TLS auth happens. At this point, certs exhchanged, we use with SAN or CN to compare from cert, to active directory and then auth is sent back from AD to ACS and ACS sends eap-sucess/fail message to client.
That is dictated in the first config section of the ACS for eap-tls.
Now, the second part, I am still lost on? when does eap-tls do authentication outside or after eap-tls has been acheived?
I am confused?
Many Thx, once again,
Ken
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide