Re: ACS 5.2 EAP-TLS User Accounts

paul_murphy · ‎11-09-2010

Hello,

I have a project to deploy dot1x wireless using using certificate authentication only - ie, once a certificate is presented to the ACS that is issued by a trusted CA, the connection is permitted.

So no further checking of user/machine credentials required.

My question is, in this case, is there any requirement for user accounts to be defined on the ACS? From the documentation it isn't clear. I am expecting that the ACS will extract the username from the certificate CN or SAN for reporting purposes, and add them as a dynamic user, so no need to define user accounts. The clients will be varying - anything from handheld devices to Windows machines.

Do I have this right?

Thanks,

Paul

jrabinow · ‎11-09-2010

No need to create a user account

BTW In ACS 5 the concept of a dynamic user does not apply

paul_murphy · ‎11-10-2010

Thanks

So is it really as simple as this:

1) Define the network clients: APs / WLCs + radius stuff

2) Issue cert to ACS

3) Install internal CA cert and mark as trusted

4) Enable EAP-TLS as the authentication mechanism

Cheers,

Paul

Tiago Antunes · ‎11-10-2010

Hi Paul,

Yes, in a nutshel that's all what is needed.

HTH,
Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.