I have ASA and I am using ACS server is a VM Ware applicance.
My question now is I would like to authenticate two different types of devices from a single Radius client.
Device 1 – Authenticating using Username and Password from Domain1 and Device Certificate from CA1
Device 2 – Authenticating using Username and Password from Domain 2 and User Certificate from CA2
Can a single Cisco ACS server be configured to do this? If not can 2 Cisco ACS servers be configured to do this bearing in mind it is a single Radius client which can only direct authentication traffic to a single Radius server?
Any update on this would be appriciated.
Thanks in advance.
You can have ACS trust multiple CA's.
ACS can only be joined to one domain, but you can authenticate users on other domains if trusts have been established between those domains and the one to which ACS is joined.
Thanks for the information provided.
Could you also provide me the link /documents on how to proceed on configuring or having this.
I am using EAP method as a local certificate for that CA which is been istalled on the ACS and that cert which is locally needs to be assigned to the EAP Protocol.
Hence to proceed further I want to authenticate EAP against a second certificate authority. I can load a local certificate from this CA as well but the EAP protocol can only be assigned to one cert at a time so EAP authentication to this CA fails.
EG: I see the certificate cert1 under System Admin->Config -?Local certi -? Issueby cert1 protocol:EAP.
Is there any way to achive this?
You can add as may Root CAs as you would like to the certificate profile under Users and Identity Stores -> Certifiacte Authorities. ACS does not need to be assigned multiple identity certificates to support different certificates from clients.
under System Admin->Config -?Local certi -? Issueby cert1 protocol:EAP.
Yes EAP protocol can only be assigned to one cert at a time, that is ACS limitation