Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3690
Views
0
Helpful
6
Replies

Machine based authentication using EAP-TLS, MS CA, and ACS 5.2

Go to solution
Christopher Bell
Level 4
Level 4

‎01-26-2011 01:28 PM - edited ‎03-10-2019 05:45 PM

I've been using ACS 4.2 for Windows for a couple of years now and I'm fairly comfortable with it.  The 5.2 model is alot more different than what I was anticipating.  We have downloaded the 90 day trial in our lab and I'm trying to get 802.1x wired working so we can be sure we want to purchase it.  I've searched all over the place and I've been unable to find some basic instructions on how to configure the following scenario in a step-by-step process:

1. AD integrated

2. EAP-TLS

3. Machine Certificates

4. Microsoft CA

5. Supplicant is XP SP 3

6. Non-Cisco 802.1x compliant switches (switches aren't the issue)

I've gotten TACACS to work fairly easily, but I'm confident the issues I'm having are user based :).  Does anybody know of a doc somewhere that goes over a scenario like this (besides the user manual and ISBN migration docs)?  Also, we have software assurance on our 4.2 box - will TAC support questions we have about the 5.2 box while we are demoing it?


Thanks in advance.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee
In response to Christopher Bell

‎01-28-2011 02:08 AM

Hello Christopher.

I will try to give you some hints to achieve what you want.

Additional infos can be found in the user guide:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

1- In Identity store / Active directory, check "                  Enable machine authentication"

2- Import certificate for ACS

Go to System Administration > Configuration > Local Server Certificates > Local Certificates  and click the add button.

Select the way you want to import the certificate, then check EAP Protocol

3- Add your switches as aaa clients

Go to Network Resources > Network Devices and AAA Clients, click create and add configure IP address + Shared secret for radius.

4- Go to Access Policies > Access Services and click create a new access service.

Select User Selected Service Type, and choose network access in the list.

Check identity, group mapping, and authorization

5- Go to Access Policies > Service Selection Rules, and select 'Rule based result selection' if not already done, then click the button customize in the bottom right of the screen, and add the properties that allows you to match your devices with which you want to make TLS.

You can use the devices IP, or you can create a NDG (in Network Resources), assign your devices to this NDG, and match this NDG in your rule.

If all your radius switches will make eap-tls, you can as well modify the rule

Enabled
Rule-1match RadiusDefault Network Access

so that in the result you choose your access service created in step 3.

6- Go to Access Policies, and Click on the access-service you have created in step 3. In the allowed protocols tab, Check EAP-TLS

7- Unfold the menu of your access-service, then click identity. Select your AD as the identity source

8- Check that the rule "Permit Acces" is selected in the authorization of your access-service

These steps define your devices, then create a rule to tell that ACS that it must use a particular access service for this devices, and define this access service to use AD as authentication.

Again, these are the basic steps, it might miss some things to do depending on your configuration, but I hope that will help you.

ACS 5 can be tricky at the beginning, but once you'll get your hands on it you'll see this is powerful.

View solution in original post

0 Helpful

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee
In response to Christopher Bell

‎01-28-2011 05:06 AM

Christopher, I'm glad this helped you, thanks for the rating.

You can find instructions on the XP Registry keys here:

http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps

Regards,
Bastien.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
jlhainy
Level 2
Level 2

‎01-26-2011 01:40 PM

I have been doing the same thing only I have been using PEAP.  I think I got the majority of the things figured out.  Basically, ACS 5.2 joins your AD domain.

It took me at least 3 or 4 reads through the user guide to figure out what I wanted to do.  Also, TAC will not support a demo version, they will refer you to your Cisco acct team.

0 Helpful

Go to solution
Christopher Bell
Level 4
Level 4
In response to jlhainy

‎01-26-2011 01:46 PM

I guess I should have given more detail, joining to the domain was very straightforward.  Getting it to authenticate with certificates is what I'm failing at.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee
In response to Christopher Bell

‎01-28-2011 02:08 AM

Hello Christopher.

I will try to give you some hints to achieve what you want.

Additional infos can be found in the user guide:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

1- In Identity store / Active directory, check "                  Enable machine authentication"

2- Import certificate for ACS

Go to System Administration > Configuration > Local Server Certificates > Local Certificates  and click the add button.

Select the way you want to import the certificate, then check EAP Protocol

3- Add your switches as aaa clients

Go to Network Resources > Network Devices and AAA Clients, click create and add configure IP address + Shared secret for radius.

4- Go to Access Policies > Access Services and click create a new access service.

Select User Selected Service Type, and choose network access in the list.

Check identity, group mapping, and authorization

5- Go to Access Policies > Service Selection Rules, and select 'Rule based result selection' if not already done, then click the button customize in the bottom right of the screen, and add the properties that allows you to match your devices with which you want to make TLS.

You can use the devices IP, or you can create a NDG (in Network Resources), assign your devices to this NDG, and match this NDG in your rule.

If all your radius switches will make eap-tls, you can as well modify the rule

Enabled
Rule-1match RadiusDefault Network Access

so that in the result you choose your access service created in step 3.

6- Go to Access Policies, and Click on the access-service you have created in step 3. In the allowed protocols tab, Check EAP-TLS

7- Unfold the menu of your access-service, then click identity. Select your AD as the identity source

8- Check that the rule "Permit Acces" is selected in the authorization of your access-service

These steps define your devices, then create a rule to tell that ACS that it must use a particular access service for this devices, and define this access service to use AD as authentication.

Again, these are the basic steps, it might miss some things to do depending on your configuration, but I hope that will help you.

ACS 5 can be tricky at the beginning, but once you'll get your hands on it you'll see this is powerful.

0 Helpful

Go to solution
Christopher Bell
Level 4
Level 4
In response to Bastien Migette

‎01-28-2011 04:59 AM

Thanks for the detailed reply!  This gets me off to a great start and got a basic configuration working for me.  5 stars and correct answer for you.  I'm finding a big difference in how this all works between Windows XP and Windows 7 however.  With Windows 7 - works well and almost right out of the box.  Very minimal configuration.  With Windows XP, not so much.  I know there is a registry key that must be changed to get XP to use machine authentication rather than user authentication:

Hklm->software->-microsoft->eapol->paramaters->general->global->

New dword AuthMode value 2

However, when I wire shark the box - I still see it trying to send the machine certificate and the user credentials to the ACS.  The machine cert passes with a type (X509) but the user fails with type (EAP-TLS).  Weird.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee
In response to Christopher Bell

‎01-28-2011 05:06 AM

Christopher, I'm glad this helped you, thanks for the rating.

You can find instructions on the XP Registry keys here:

http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps

Regards,
Bastien.

0 Helpful

Go to solution
bhatatrans
Level 1
Level 1
In response to Bastien Migette

‎03-14-2011 11:54 AM

Hello,

I am trying to solve a problem involving these exact same components and came across this discussion.

We are using the Windows XP supplicant with EAP-TLS.  The authentication works fine, but the authorization does not work.  I would like to either:

1) make sure the certificate being used is signed by a particular CA and not just any CA that is trusted by the ACS

2) authenticate the machine using Active Directory groups.

I have no idea how to configure 1) on the ACS and 2) is not working for us.

I have configured the ACS in the following way:

- External Identity Stores > Active Directory > checked Enable password change and Enable machine authentication

- Access Policies > Access Services > Network Access > checked Identity and Authorization and allowed EAP-TLS

- Access Policies > Access Services > Network Access >Identity (THIS PART WORKS) validating Authentication Method=x509_PKI and setting Identity Source to CN Username

- Access Policies > Access Services > Network Access > Authorization validating AD External Groups and System:UserName starts with host/

Is there something I have not configure correctly?

Can you tell me how to get method 1) to work?

Thanks!

0 Helpful
Customers Also Viewed These Support Documents