Filter
Top Products
Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols
10-8
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Step 2 Edit the certification trust list so that the certification authority (CA) issuing
end-user client certificates is trusted. If you do not perform this step, Cisco Secure
ACS only trusts user certificates issued by the same CA that issued the certificate
installed in Cisco Secure ACS. For detailed steps, see Editing the Certificate Trust
List, page 10-38.
Step 3 Establish a certificate revocation list (CRL) for each CA and certificate type listed
in the certificate trust list (CTL). As part of EAP-TLS authentication,
Cisco Secure ACS validates the status of the certificate presented by the user
against the cached CRL to ensure that it has not been revoked. For detailed steps,
see Adding a Certificate Revocation List Issuer, page 10-42.
Step 4 Enable EAP-TLS on the Global Authentication Setup page. Cisco Secure ACS
allows you to complete this step only after you have successfully completed Step
1. For detailed steps, see Configuring Authentication Options, page 10-33.
Step 5 Configure a user database. To determine which user databases support EAP-TLS
authentication, see Authentication Protocol-Database Compatibility, page 1-10.
Cisco Secure ACS is ready to perform EAP-TLS authentication.
PEAP Authentication
This section contains the following topics:
• About the PEAP Protocol, page 10-8
• PEAP and Cisco Secure ACS, page 10-9
• PEAP and the Unknown User Policy, page 10-11
• Enabling PEAP Authentication, page 10-12
About the PEAP Protocol
The PEAP (Protected EAP) protocol is a client-server security architecture that
provides a means of encrypting EAP transactions, thereby protecting the contents
of EAP authentications. PEAP has been posted as an IETF Internet Draft by RSA,
Cisco, and Microsoft and is available at http://www.ietf.org/internet-drafts/
draft-josefsson-pppext-eap-tls-eap-05.txt.