Digital certificates, Eap-tls authentication – Cisco 3.3 User Manual
Page 382
Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols
10-2
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Digital Certificates
The ACS Certificate Setup pages enable you to install digital certificates to
support EAP-TLS and PEAP authentication, as well as to support HTTPS
protocol for secure access to the Cisco Secure ACS HTML interface.
Cisco Secure ACS uses the X.509 v3 digital certificate standard. Certificate files
must be in either Base64-encoded X.509 format or DER-encoded binary X.509
format. Also, Cisco Secure ACS supports manual certificate enrollment and
provides the means for managing a certificate trust list (CTL) and certificate
revocation lists (CRL).
Digital certificates do not require the sharing of secrets or stored database
credentials. They can be scaled and trusted over large deployments. If managed
properly, they can serve as a method of authentication that is stronger and more
secure than shared secret systems. Mutual trust requires that Cisco Secure ACS
have an installed certificate that can be verified by end-user clients. This server
certificate may be issued from a certification authority (CA) or, if you choose,
may be a self-signed certificate. For more information see
Cisco Secure ACS Server Certificate, page 10-35
Note
Depending on the end-user client involved, the CA certificate for the CA that
issued the Cisco Secure ACS server certificate is likely to be required in local
storage for trusted root CAs on the end-user client computer.
EAP-TLS Authentication
This section contains the following topics:
•
About the EAP-TLS Protocol, page 10-3
•
EAP-TLS and Cisco Secure ACS, page 10-4
•
EAP-TLS Limitations, page 10-6
•