beautypg.com

Eap-tls domain stripping, Machine authentication, Machine – Cisco 3.3 User Manual

Page 500: Eap-tls domain

background image

Chapter 13 User Databases

Windows User Database

13-16

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

EAP-TLS Domain Stripping

If you use Windows Active Directory to authenticate users with EAP-TLS,
Cisco Secure ACS enables you to strip the domain name from the username stored
in the Subject Alternative Name field of the user certificate. Performing domain
name stripping can speed EAP-TLS authentication when the domain that must
authenticate a user is not the domain represented in the SAN field.

For example, a user’s SAN field may contain “[email protected]” but
jsmith may need to authenticate using the domain controller for a subdomain
named “engineering”. Stripping “@corporation.com” from the username
eliminates the needless attempt at authenticating jsmith against the
corporation.com domain controller. Without stripping the domain name, only
after jsmith cannot be found in corporation.com will Cisco Secure ACS use the
Domain List and find the user in the engineering domain. The additional delay
could be several seconds. For more information about the Domain List, see

Non-domain-qualified Usernames, page 13-13

.

You can enable EAP-TLS domain name stripping on the Windows User Database
Configuration page.

Note

EAP-TLS domain name stripping operates independently of support for
UPN-formatted usernames. For information about support for Windows
authentication of UPN-formatted usernames, see

UPN Usernames, page 13-14

.

Machine Authentication

Cisco Secure ACS supports the authentication of computers running Microsoft
Windows operating systems that support EAP computer authentication, such as
Windows XP with Service Pack 1. Machine authentication, also called computer
authentication, allows networks services only for computers known to Active
Directory. This is especially useful for wireless networks, where unauthorized
users outside the physical premises of your workplace can access your wireless
access points.