beautypg.com

Eap-tls and ciscosecure acs, Eap-tls and cisco secure acs – Cisco 3.3 User Manual

Page 384

background image

Chapter 10 System Configuration: Authentication and Certificates

About Certification and EAP Protocols

10-4

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

EAP-TLS and Cisco Secure ACS

Cisco Secure ACS supports EAP-TLS with any end-user client that supports
EAP-TLS, such as Windows XP. To learn which user databases support EAP-TLS,
see

Authentication Protocol-Database Compatibility, page 1-10

. For more

information about deploying EAP-TLS authentication, see Extensible
Authentication Protocol Transport Layer Security Deployment Guide for Wireless
LAN Networks
at

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/

acstl_wp.htm

.

Cisco Secure ACS can use EAP-TLS to support machine authentication to
Microsoft Windows Active Directory. The end-user client may limit the protocol
used for user authentication to the same protocol used for machine authentication;
that is, use of EAP-TLS for machine authentication may require the use of
EAP-TLS for user authentication. For more information about machine
authentication, see

Machine Authentication, page 13-16

.

Cisco Secure ACS supports domain stripping for EAP-TLS authentication using
Windows Active Directory. For more information, see

EAP-TLS Domain

Stripping, page 13-16

.

Cisco Secure ACS also supports three methods of certificate comparison and a
session resume feature. This topic discusses these features.

To permit access to the network by a user or computer authenticating with
EAP-TLS, Cisco Secure ACS must verify that the claimed identity (presented in
the EAP Identity response) corresponds to the certificate presented by the user.
Cisco Secure ACS can accomplish this verification in three ways:

Certificate SAN Comparison—Based on the name in the Subject
Alternative Name field in the user certificate.

Certificate CN Comparison—Based on the name in the Subject Common
Name field in the user certificate.

Certificate Binary Comparison—Based on a binary comparison between
the user certificate stored in the user object in the LDAP server or Active
Directory and the certificate presented by the user during EAP-TLS
authentication. This comparison method cannot be used to authenticate users
stored in an ODBC external user database.