Hi Eddy,
Thanks for the PM and I hope I can help you with your efforts.
First, I understand your need, you want ONLY devices that have a company certifciate to gain access to the wireless network. If a device is configured with AD and PASSWORD but doesnt have a certifixate it isnt allowed access.
With that being said, let me take a step back and share with you a few of the basics rather then just give you the quick anwser.
There are dozens of EAP types. Each EAP is a different authentication method. PEAP, LEAP, FAST, TTLS, TLS etc are the most common EAP types used on wireless network.
PEAP, FAST, TLS, require a server certifciate. This certificate has one purpose and one purpose only. It is used much like a HTTPS web site. To secure a tunnel whereby a wireless client can securly send the AD and PASSWORD without being snifffed over wireless. When your client connects, your ACS server send this cert to the client. The client will take this cert and build a tunnel. Once the tunnel is made, the client sends the AD and password. Thats it .. nothing more.. With that beaing said, client side certs arent used.
EAP-TLS - This is a EAP that requries BOTH server side and client side .
We can talk a lot more about this but chew on the above and the below links and video ..
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/admin_config.html#wp1052640
http://www.youtube.com/watch?v=Wk_bRdmsQlA
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
