09-21-2015 07:18 PM - edited 03-08-2019 01:53 AM
Is it possible to do 802.1X authentication with ACS 5.5 based on the client machine certificate issuer (without joining the ACS to AD)?
Example, If the client machine has a certificate loaded that was issued by a certain authority, allow it access.
Our AD admins will not let us join our ACS to the domain.
09-22-2015 12:42 PM
Yes, you can use EAP-TLS via LDAP (but not PEAP-MSCHAPv2).
09-23-2015 11:21 AM
Hi Allen,
We managed to have port based NAC solely based on certificates and with Cisco switches. It also not fully tested, but basic use cases are working (e.g. device with wrong or no certificate are rejected, and devices with a certificate gets connected). I will need sometime to write the howto but if you already have particular questions, I will be happy to help.
09-23-2015 01:08 PM
Awesome. That would be very helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide