13-23
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 13 User Databases
Windows User Database
Note End-user client computers and the applicable Active Directory must be configured
to support machine authentication. This procedure is specific to configuration of
Cisco Secure ACS only. For information about configuring Microsoft Windows
operating systems to support machine authentication, see Microsoft Windows and
Machine Authentication, page 13-20.
To enable Cisco Secure ACS to perform machine authentication, follow these
steps:
Step 1 Install a server certificate in Cisco Secure ACS. PEAP(EAP-MSCHAPv2) and
EAP-TLS require a server certificate. Cisco Secure ACS uses a single certificate
to support both protocols. For detailed steps, see Installing a Cisco Secure ACS
Server Certificate, page 10-35.
Note If you have installed a certificate to support EAP-TLS or PEAP user
authentication or to support HTTPS protection of remote Cisco Secure
ACS administration, you do not need to perform this step. A single server
certificate will support all certificate-based Cisco Secure ACS services
and remote administration.
Step 2 For EAP-TLS machine authentication, if certificates on end-user clients are
issued by a different CA than the CA that issued the server certificate on
Cisco Secure ACS, you must edit the certification trust list so that CAs issuing
end-user client certificates are trusted. If you do not perform this step and the CA
of the server certificate is not the same as the CA of an end-user client certificate
CA, EAP-TLS will operate normally but reject the EAP-TLS machine
authentication because it does not trust the correct CA. For detailed steps, see
Editing the Certificate Trust List, page 10-38.
Step 3 Enable the applicable protocols on the Global Authentication Setup page:
To support machine authentication with PEAP, enable the
PEAP(EAP-MSCHAPv2) protocol.
To support machine authentication with EAP-TLS, enable the EAP-TLS
protocol.