Filter
Top Products
B-34
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
AppendixB Authentication in ACS 5.4
Certificate Attributes
• Subject's ST attribute (State Province)
• Subject's E attribute (eMail)
• Subject's SN attribute (Subject Serial Number)
• Issuer I attribute
• SAN (Subject Alternative Name)
• Subject
• SAN—Email
• SAN—DNS
• SAN—otherName
Certificate Revocation
Every client certificate that ACS receives is verified with a Certificate Revocation List (CRL) according
to a policy that is defined.
The CRL mechanism verifies whether or not you can still rely on a client certificate. This is done by
checking the serial number of the certificate, and that of each member of the corresponding certificate
chain, against a list of certificates that are known to have been revoked.
Possible reasons for revocation of a certificate include suspicion that the associated private key has been
compromised or the realization that the certificate was issued improperly. If either of these conditions
exist, the certificate is rejected.
ACS supports a static-CRL that contains a list of URLs used to acquire the CRL files that are configured
in ACS database.
Note ACS does not support delta CRLs in certificate revocation validation.
You can configure a set of URLs used for CRL update for each trusted CA certificate,. By default, when
adding a CA certificate, ACS automatically sets all the URLs stored in the certificate
crlDistributionPoint as the initial static CRL for that CA. In most cases, the crlDistributionPoint is used
to point to the CRL location used to revoke the CA certificate, but you can edit the URL to point to the
CRL file issued by this CA. You can only configure a single HTTP based URL for each CA.
You can configure the parameters for each CA, which will apply to all the URLs that are configured to
the CA. ACS supports two download modes, one for periodic download, and the other for downloading
the next CRL update just before the previous is about to expire.
• For the periodic download, you can define the download periods.
• For automatic downloading, you define the amount of time before the CRL file expires, should ACS
download it. The CRL expiration time is taken from the CRL nextUpdate field.
For both modes, if the download somehow fails, you can define the amount of time that ACS will wait
before trying to redownload the CRL file.
ACS verifies that the downloaded CRL file is signed correctly by any one of the CAs in the trust store,
for each downloaded CRL file and whether they are trusted. ACS uses the CRL file only if the signature
verification passes. The verified CRL file replaces the previous CRL file issued by the same CA.
Note CRL files are not kept persistent, and should be re-downloaded when you restart ACS.