Filter
Top Products
Chapter 8 Establishing Cisco Secure ACS System Configuration
Cisco Secure ACS Certificate Setup
8-62
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Background on Certification
EAP and TLS are both IETF RFC standards. The EAP protocol extends the
network point-to-point protocol (PPP) by providing new methods for carrying
authentication information before establishing PPP connections, specifically,
EAPOL (the encapsulation of EAP over LANs as established by IEEE 802.1X).
In addition to digital certificates, EAP has methods for username and password
authentication (that is, EAP-MD5 Challenge). TLS is the next generation SSL
security protocol. TLS provides a way to use certificates for both user
authentication, and for dynamic ephemeral session key generation. For more
detailed information on EAP, TLS, and EAP-TLS, refer to the following IETF
RFCs: PPP Extensible Authentication Protocol (EAP) RFC 2284, The TLS
Protocol RFC 2246, and PPP EAP TLS Authentication Protocol RFC 2716.
Digital certificates are particularly useful because they do not require the sharing
of secrets nor stored database credentials, can be scaled and trusted over large
deployments, and can serve as a “two-factor” method of authentication that is
stronger and more secure than shared secret systems. Mutual trust requires that
Cisco Secure ACS have an installed certificate that can be verified by AAA
clients and that a user attempting authentication via EAP-TLS bears a certificate
from a trusted certification authority (CA). For authentication of a user to occur,
the subject name contained in the user certificate must be identical to the
username in the Cisco Secure ACS database (or the external LDAP Directory or
Windows 2000 database that Cisco Secure ACS uses). Cisco Secure ACS requires
that certificates and CA files used be in Base64-encoded X.509 version 3.
A user who is authenticated using EAP-TLS can then be mapped to user or group
authorization information kept in the CiscoSecure user database, or in the
Windows 2000 or generic LDAP Directory Server. Your Cisco Secure ACS must
be installed on a Windows 2000 server (not Windows NT) if you intend to use
EAP-TLS in conjunction with a Windows 2000 user database.
EAP-TLS requires support from both the end client and the AAA client. An
example of an EAP-TLS client includes the Windows XP operating system;
EAP-TLS compliant AAA clients include Cisco 802.1x-enabled switch platforms
(such as the Catalyst 6000 product line), and Cisco Aironet Wireless solutions. In
addition, Cisco Secure ACS needs to generate or enroll into an existing PKI and
be granted an X.509 v3 digital certificate.