Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
718
Views
0
Helpful
2
Replies

EAP-TLS match on custom EKU with ACS 5.5

Suedwestrundfunk IKS
Level 1
Level 1

‎07-03-2014 02:14 AM - edited ‎03-10-2019 09:51 PM

Hi,

 

is there any possibility to match on a custom EKU with ACS 5.5?

I have to create a solution to limit access to a specific WLAN SSID. Only certificates containing a specific, self-created EKU should have access to this SSID. Other certificates from the same CA should be denied.

I know that it's possible with Microsoft NPS but I would prefer a solution with ACS. But in ACS the ceritifcate dictionary contains only a few attributes i.e. common name, issuer, subject, but not the Enhanced Key Usage  (EKU).

Any suggestions?

 

Thanks,

Werner

Labels:
0 Helpful
2 Replies 2

Saurav Lodh
Level 7
Level 7

‎07-03-2014 03:11 AM

Object Identifier Check for EAP-TLS Authentication

ACS can compare the OID against the Enhanced Key Usage (EKU) field in the user's certificate. ACS denies access if the OID and EKU do not match. For more information about options, see Authentication for profile_name Page, page 14-46.

When OID comparison is enabled and a valid OID string is entered, all the certificates that the users present for EAP-TLS authentication are checked against the OIDs entered. Authentication will be successful only if the OIDs match. If OID comparison is enabled but the user certificate presented does not contain any OID in the EKU field, authentication will fail.

To enable OID comparison you must:

Enable EAP-TLS from the NAP page.

Enter only contain numbers, dots, commas and spaces in the OID strings, for example: 1.3.6.1.5.5.7.3.2 is a valid OID string.

Enter multiple OIDs as comma-separated values. For example: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2 is a valid string.

0 Helpful

Suedwestrundfunk IKS
Level 1
Level 1
In response to Saurav Lodh

‎07-03-2014 04:13 AM

Thanks for your Response!

Sorry, I did not mention, I'm running ACS version 5.4. So there is no NAP page. Is there a way for ACS 5.4, too?

 

Thanks
 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents