cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1376
Views
5
Helpful
7
Replies

EAP-TLS authentication with ACS 5.2

davidlow8606
Beginner
Beginner

Hi all,

I have question on EAP-TLS with ACS 5.2.

If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place?

Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?

If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?

And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.

And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?

Hope you guys can help on this. THanks.

1 Accepted Solution

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

Hope this will answer most of your questions:

Client or user certificate

http://www.cisco.com/en/US/partner/tech/tk59/technologies_tech_note09186a00804b976b.shtml#t10

Machine certificate

http://www.cisco.com/en/US/partner/tech/tk59/technologies_tech_note09186a00804b976b.shtml#t15

In case of EAP-TLS we have to have machine and user certificate installed on the machines.

Regards,

Jatin

Do rate helpful posts-

~Jatin

View solution in original post

7 Replies 7

Jatin Katyal
Cisco Employee
Cisco Employee

Hope this will answer most of your questions:

Client or user certificate

http://www.cisco.com/en/US/partner/tech/tk59/technologies_tech_note09186a00804b976b.shtml#t10

Machine certificate

http://www.cisco.com/en/US/partner/tech/tk59/technologies_tech_note09186a00804b976b.shtml#t15

In case of EAP-TLS we have to have machine and user certificate installed on the machines.

Regards,

Jatin

Do rate helpful posts-

~Jatin

Hi Jatin,

Thanks for the reply. But what about the user own device? will the user be able to get the user certificate on their own?

If using both user cert and machine cert, then user will not be challenged for any credential during the authentication process right?

Regards,
David

If the user is not a part of the domain, they won't get a certificate hence they won't be able to connect.

In EAP-TLS, there is no user/password prompt. It's a pure certificate authenticate so yes users will not get any prompt for username and password.

Regards,

Jatin

~Jatin

Hi Jatin,

One last question, wondering whether have you come across doing machine authentication only?

Let's forget about the EAP-TLS, if I am using PEAP and ms-chapv2, and i would only like to do machine authentication. As long as the computer is part of domain computers, they will be able to access to the network right?

What if this computer is part of domain computer, but user logged in to local PC instead of domain, will they still get full access to the network?

Thanks.

Regards,

David

Yes, you can configure:

machine authentication only

user authentication only

Machine and user authentication.

Machine or user authentication

So machine authentication only is quite common scenarion. Correct, as long as machine is a part of a domain, you will be authenticated via machine authentication.

PEAP-based machine authentication uses PEAP (EAP-MS-CHAPv2) and the password for the computer established automatically when it was added to the Microsoft Windows domain. The computer sends its name as the username and the format is:

host/computer.domain

If the machine is a valid machine in the domain then during the boot process, once the HAL is loaded, the system begins loading device drivers to support the various hardware devices configured on the client in question. After loading the device drivers, the network interface is initialized. At this point, machine start getting ip address and once it done, the user may have access to most of the network.

Regards,

Jatin

~Jatin

Hi Jatin,

is there any chance that I can have access to this document as the website says that i may not be entitiled.

I am in the same dilema about which EAP type to use and how machine authentication works with certificates.

Mario

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers