Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
0
Helpful
1
Replies

ACS 5.1 and Windows Vista : Machine Certificate and AD-Account-Verification

swiss_ewok
Level 1
Level 1

‎08-04-2011 01:46 AM - edited ‎03-10-2019 06:16 PM

Hi there.

We plan to use machine certificates on our notebooks with Windows Vista. Our authenticating server is Cisco ACS 5.1. To access the wireless network we want to use the machine certificate of the notebook and a verification of the corresponding computer account in the Active Directory. The machine certificate won't store in Active Directory. The ACS Server checks the certificate locally and only the verification of the computer account will checked against the Active Directory.

What authentication method (EAP-TLS, PEAP...) to check the machine certificate and if exists the enabled corresponding computer account in the Active Directory ?

How to configure the ACS and the notebook to use it like described ?

Thanks.

Regards,

swiss_ewok

Labels:
0 Helpful
1 Reply 1

alex.dersch
Level 4
Level 4

‎08-04-2011 09:38 AM

Hello Swissewok,

there are different flavours of EAP available, it depends basicially on your security requirements. EAP-TLS is considered very secure but diffucult to implement. You need a client and a server certificate for a successful authentication. For PEAP you just need a server certificate for authentication.

First you have set up an CA.

2. Deploy the certificates to your notebooks.

3. Issue an certificate for your ACS

4. Set up the ACS to use Active Directory as an external Identity Source and map the appropriate OU's

4. Create Access Policies

5. Configure your Wireless Controller or Access Point to do EAP authentication

6. Configure your notebook's wireless connection for EAP authentication

Voila

there is a good book which explains the procedure quite good.

http://store.fullpond.com/cisco/ProductCompactBooks.aspx?catalogid=1&categoryid=7205&productid=7666

hope it helps

alex

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents