Filter
Top Products
4-11
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 4 Common Scenarios Using ACS
Certificate-Based Network Access
You can create custom conditions to use the certificate’s attributes as a policy condition. See Creating,
Duplicating, and Editing a Custom Session Condition, page 9-5, for details.
Step 5 Create an access service. See Configuring Access Services, page 10-11, for more information.
Step 6 In the Allowed Protocols Page, choose EAP-TLS or PEAP (EAP-TLS) as inner method.
Step 7 Configure identity and authorization policies for the access service. See Configuring Access Service
Policies, page 10-22, for details.
Note When you create rules for the identity policy, the result may be the Certificate Authentication
Profile or an Identity Sequence. See Viewing Identity Policies, page 10-22, for more
information.
Step 8 Configure the Authorization Policies. See Configuring a Session Authorization Policy for Network
Access, page 10-30.
Step 9 Configure the Service Selection Policy. See Configuring the Service Selection Policy, page 10-5.
Related Topics
• Configuring Local Server Certificates, page 18-14
• Configuring CA Certificates, page 8-71
• Authentication in ACS 5.4, page B-1
• Overview of EAP-TLS, page B-6
Authorizing the ACS Web Interface from Your Browser Using a Certificate
You use the HTTPS certificate-based authentication to connect to ACS with your browser. The Local
Server Certificate in ACS is used to authorize the ACS web interface from your browser. ACS does not
support browser authentication (mutual authentication is not supported).
Table 4-2 Network Access Authentication Protocols
Protocol Action
EAP-TLS In the Allowed Protocols Page, choose Allow EAP-TLS to enable the EAP-TLS settings.
• Enable Stateless Session resume—Check this check box to enable the Stateless Session
Resume feature per Access service. This feature enables you to configure the following
options:
–
Proactive Session Ticket update—Enter the value as a percentage to indicate how much
of the Time to Live must elapse before the session ticket is updated. For example, the
session ticket update occurs after 10 percent of the Time to Live has expired, if you enter
the value 10.
–
Session ticket Time to Live—Enter the equivalent maximum value in days, weeks,
months, and years, using a positive integer.
PEAP In the Allowed Protocols Page, choose PEAP. For the PEAP inner method, choose EAP-TLS or
PEAP Cryptobinding TLV.