Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4933
Views
4
Helpful
6
Replies

EAP-TLS with machine certificate

Go to solution
ALFONSO MONEO VILORIA
Level 1
Level 1

‎08-22-2013 02:30 AM - edited ‎07-04-2021 12:41 AM

Hello all,

I'm looking for a solution to authenticate both machine and wireless users. I've been finding out solutions like EAP-TLS using the machine certificate to stablished the tunnel and authenticating user credentials (LDAP store) over this tunnel. Now i want to know if is possible to use this configuration using an ACS Radius servers and what SOs are supported to do this without external supplicants (Windows XP, Windows 7, Windows 8, iOs, Android...).


Thanks a lot.

Best regards.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Anas Naqvi
Level 1
Level 1

‎09-03-2013 09:09 AM

Hi Alfonso, 

Certificate Retrieval for EAP-TLS Authentication

ACS 5.4 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol. The user or machine record on AD includes a certificate attribute of binary data type. This can contain one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to configure any other name for this attribute. 

ACS retrieves this certificate for verifying the identity of the user or machine. The certificate authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other name) to be used for retrieving the certificates. 

After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, ACS compares the certificates to check if one of them match. When a match is found, ACS grants the user or machine access to the network. 

Configuring CA Certificates

When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate. 

If ACS does not trust the client's CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates. 

You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs). 

Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems. 

Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate

Also check the below link,  

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Anas Naqvi
Level 1
Level 1

‎09-03-2013 09:09 AM

Hi Alfonso, 

Certificate Retrieval for EAP-TLS Authentication

ACS 5.4 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol. The user or machine record on AD includes a certificate attribute of binary data type. This can contain one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to configure any other name for this attribute. 

ACS retrieves this certificate for verifying the identity of the user or machine. The certificate authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other name) to be used for retrieving the certificates. 

After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, ACS compares the certificates to check if one of them match. When a match is found, ACS grants the user or machine access to the network. 

Configuring CA Certificates

When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate. 

If ACS does not trust the client's CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates. 

You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs). 

Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems. 

Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate

Also check the below link,  

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404

0 Helpful

Go to solution
ALFONSO MONEO VILORIA
Level 1
Level 1
In response to Anas Naqvi

‎09-30-2013 04:17 AM

Hello Anas,

thanks a lot for your response. I've finally discarded the idea of implement 2 authentications because I think that EAP-CHAINING (with ISE) is the only way to do really this.

Now, I'm going to implement only one authentication process based on machine certificate for Windows, Android and iOS using EAP-TLS.

Your help will be very useful to do this!.


Best regards,

Alfonso Moneo

0 Helpful

Go to solution
Derrick Robba
Level 1
Level 1
In response to Anas Naqvi

‎10-05-2013 11:32 AM

Will a machine cert work in 5.3?

Sent from Cisco Technical Support iPad App

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Derrick Robba

‎10-05-2013 08:24 PM

If you are talking about ACS 5.3, yes it supports EAP-TLS which does requires a machine certificate. It's supported in most of the v4.x and v5.c of ACS.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Derrick Robba

‎10-05-2013 08:34 PM

Yes With EAP-TLS we should have machine cert installed on the end-client and ACS 5.3 does support.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1170404

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Go to solution
Derrick Robba
Level 1
Level 1
In response to Jatin Katyal

‎10-05-2013 09:59 PM

Thank you all!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card