Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


EAP-TLS match on custom EKU with ACS 5.5



is there any possibility to match on a custom EKU with ACS 5.5?

I have to create a solution to limit access to a specific WLAN SSID. Only certificates containing a specific, self-created EKU should have access to this SSID. Other certificates from the same CA should be denied.

I know that it's possible with Microsoft NPS but I would prefer a solution with ACS. But in ACS the ceritifcate dictionary contains only a few attributes i.e. common name, issuer, subject, but not the Enhanced Key Usage  (EKU).

Any suggestions?




Everyone's tags (6)
Rising star

Object Identifier Check for

Object Identifier Check for EAP-TLS Authentication

ACS can compare the OID against the Enhanced Key Usage (EKU) field in the user's certificate. ACS denies access if the OID and EKU do not match. For more information about options, see Authentication for profile_name Page, page 14-46.

When OID comparison is enabled and a valid OID string is entered, all the certificates that the users present for EAP-TLS authentication are checked against the OIDs entered. Authentication will be successful only if the OIDs match. If OID comparison is enabled but the user certificate presented does not contain any OID in the EKU field, authentication will fail.

To enable OID comparison you must:

Enable EAP-TLS from the NAP page.

Enter only contain numbers, dots, commas and spaces in the OID strings, for example: is a valid OID string.

Enter multiple OIDs as comma-separated values. For example:, is a valid string.

Thanks for your Response

Thanks for your Response!

Sorry, I did not mention, I'm running ACS version 5.4. So there is no NAP page. Is there a way for ACS 5.4, too?