8-63
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter 8 Establishing Cisco Secure ACS System Configuration
Cisco Secure ACS Certificate Setup
EAP-TLS Setup Overview
This section outlines the basic steps necessary to implement EAP-TLS in
Cisco Secure ACS.
• Obtain, and install on Cisco Secure ACS, a “server” certificate. You can
perform the “server” certificate installation using either the manual
enrollment procedure or automatic enrollment procedure in this section.
• Install a certificate for the CA that issued the Cisco Secure ACS “server”
certificate. For more information, see the “Certification Authority Setup”
section on page 8-70.
• Ensure that any CA that you want to allow users to employ is listed in the
Cisco Secure ACS’s certificate trust list (CTL). For more information see the
“Editing the Certificate Trust List” section on page 8-72.
• Verify that users you intend to authenticate using EAP-TLS reside in a
database that supports EAP-TLS (CiscoSecure user database, Windows 2000
database, or generic LDAP database only).
• Verify that the user account names in Cisco Secure ACS match the subject
field in each user certificate.
• Confirm that you have configured authentication options for EAP-TLS and
then restart Cisco Secure ACS. For more detailed information see the
“Global Authentication Setup” section on page 8-73.
Requirements for Certificate Enrollment
Cisco Secure ACS supports a variety of PKIs for digital certificate enrollment. To
use the ACS general certificate enrollment feature, the following conditions
apply:
• You must have a CA capable of handling PKCS #10 certificate requests if you
intend to use Cisco Secure ACS to generate the certificate request.
• You must only employ certificates that meet the X.509 v3 digital certificate
standard.
• The certificate’s intended purpose must include server authentication.