Filter
Top Products
4-10
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 4 Common Scenarios Using ACS
Certificate-Based Network Access
You can configure two types of certificates in ACS:
• Trust certificate—Also known as CA certificate. Used to form CTL trust hierarchy for verification
of remote certificates.
• Local certificate—Also known as local server certificate. The client uses the local certificate with
various protocols to authenticate the ACS server. This certificate is maintained in association with
its private key, which is used to prove possession of the certificate.
Note During certificate-based access (or password-based access), the user is not only authenticated but also
authorized according to the ACS configuration. And if NAS sends accounting requests, the user is also
accounted.
Related Topics
• Configuring CA Certificates, page 8-71
• Configuring Local Server Certificates, page 18-14
• Using Certificates in ACS, page 4-10
Using Certificates in ACS
The three use cases for certificates in ACS 5.4 are:
• Certificate-Based Network Access, page 4-10
• Authorizing the ACS Web Interface from Your Browser Using a Certificate, page 4-11
• Validating an LDAP Secure Authentication Connection, page 4-12
Certificate-Based Network Access
For TLS- related EAP and PEAP protocols, you must set up a server certificate from the local certificate
store and a trust list certificate to authenticate the client. You can choose the trust certificate from any
of the certificates in the local certificate store.
To use EAP-TLS or PEAP (EAP-TLS), you must obtain and install trust certificates. The information
about how to perform the tasks is located in the relevant task chapters.
Before you Begin:
Set up the server by configuring:
• EAP-TLS or PEAP (EAP-TLS)
• The local certificate. See Configuring Local Server Certificates, page 18-14.
To configure certificate-based network access for EAP-TLS or PEAP (EAP-TLS):
Step 1 Configure the trust certificate list. See Configuring CA Certificates, page 8-71, for more information.
Step 2 Configure the LDAP external identity store. You might want to do this to verify the certificate against a
certificate stored in LDAP. See Creating External LDAP Identity Stores, page 8-26, for details.
Step 3 Set up the Certificate Authentication Profile. See Configuring Certificate Authentication Profiles,
page 8-75, for details.
Step 4 Configure policy elements. See Managing Policy Conditions, page 9-1, for more information.