is there any possibility to match on a custom EKU with ACS 5.5?
I have to create a solution to limit access to a specific WLAN SSID. Only certificates containing a specific, self-created EKU should have access to this SSID. Other certificates from the same CA should be denied.
I know that it's possible with Microsoft NPS but I would prefer a solution with ACS. But in ACS the ceritifcate dictionary contains only a few attributes i.e. common name, issuer, subject, but not the Enhanced Key Usage (EKU).
ACS can compare the OID against the Enhanced Key Usage (EKU) field in the user's certificate. ACS denies access if the OID and EKU do not match. For more information about options, see Authentication for profile_name Page, page 14-46.
When OID comparison is enabled and a valid OID string is entered, all the certificates that the users present for EAP-TLS authentication are checked against the OIDs entered. Authentication will be successful only if the OIDs match. If OID comparison is enabled but the user certificate presented does not contain any OID in the EKU field, authentication will fail.
To enable OID comparison you must:
•Enable EAP-TLS from the NAP page.
•Enter only contain numbers, dots, commas and spaces in the OID strings, for example: 220.127.116.11.18.104.22.168.2 is a valid OID string.
•Enter multiple OIDs as comma-separated values. For example: 22.214.171.124.126.96.36.199.1, 188.8.131.52.184.108.40.206.2 is a valid string.
Thanks for your Response!
Sorry, I did not mention, I'm running ACS version 5.4. So there is no NAP page. Is there a way for ACS 5.4, too?