beautypg.com

Eap-tls limitations – Cisco 3.3 User Manual

Page 386

background image

Chapter 10 System Configuration: Authentication and Certificates

About Certification and EAP Protocols

10-6

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

To force an EAP-TLS session to end before the session timeout is reached, either
restart the CSAuth service or delete the user from the CiscoSecure user database
CiscoSecure user database. Disabling or deleting the user in an external user
database has no effect because the session resume feature does not involve the use
of external user databases.

You can enable the EAP-TLS session resume feature and configure the timeout
interval on the Global Authentication Setup page. For more information about
enabling this feature, see

Global Authentication Setup, page 10-26

.

EAP-TLS Limitations

The Cisco Secure ACS implementation of EAP-TLS has the following
limitations:

Server and CA certificate file format—If you install the Cisco Secure ACS
server and CA certificates from files rather than from certificate storage,
server and CA certificate files must be in either Base64-encoded X.509
format or DER-encoded binary X.509 format.

LDAP attribute for binary comparison—If you configure Cisco Secure
ACS to perform binary comparison of user certificates, the user certificate
must be stored in Active Directory or an LDAP server, using a binary format.
Also, the attribute storing the certificate must be named “usercertificate”.

Windows server type—If you want to use Active Directory to authenticate
users with EAP-TLS when Cisco Secure ACS runs on a member server,
additional configuration is required. For more information, including steps
for the additional configuration, see Installation Guide for Cisco Secure ACS
for Windows Server
.

Additionally, if Cisco Secure ACS receives traffic from a wireless access point
that has the wrong shared secret, the error message logged in the failed attempts
log reads “EAP request has invalid signature”. Three conditions that might cause
this to occur are the following:

The wrong signature is being used.

A RADIUS packet was corrupted in transit.

Cisco Secure ACS is being attacked.