beautypg.com

Cisco 3.3 User Manual

Page 411

background image

10-31

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 10 System Configuration: Authentication and Certificates

Global Authentication Setup

EAP-TLS—You can configure the following options for EAP-TLS:

Allow EAP-TLS—Whether Cisco Secure ACS permits EAP-TLS
authentication.

Note

If users access your network using a AAA client defined in the
Network Configuration section as a RADIUS (Cisco Aironet) device,
one or more of the LEAP, EAP-TLS, or EAP-FAST protocols must be
enabled on the Global Authentication Setup page; otherwise, Cisco
Aironet users cannot authenticate.

Certificate SAN comparison—Whether authentication is performed by
comparing the Subject Alternative Name (SAN) of the end-user client
certificate to the username in the applicable user database.

Note

If you select more than one comparison type, Cisco Secure ACS
performs the comparisons in the order listed. If the one comparison
type fails, Cisco Secure ACS attempts the next enabled comparison
type. Comparison stops after the first successful comparison.

Certificate CN comparison—Whether authentication is performed by
comparing the Common Name of the end-user client certificate to the
username in the applicable user database.

Certificate Binary comparison—Whether authentication is performed
by a binary comparison of the end-user client certificate to the user
certificate stored in the applicable user database. This comparison
method cannot be used to authenticate users stored in an ODBC external
user database.

EAP-TLS session timeout (minutes)—The maximum EAP-TLS
session length you want to allow users, in minutes. A session timeout
value greater than 0 (zero) enables the EAP-TLS session resume feature.
The session resume feature allows users to reauthenticate without a user
lookup or certificate comparison provided that the session has not timed
out. If the end-user client is restarted, authentication requires a certificate
lookup even if the session timeout interval has not ended. The default
timeout value is 120 minutes. To disable the session timeout feature, set
the timeout value to 0 (zero).