Cisco Systems CSACS3415K9 Configuring Certificate Authentication Profiles

8-75

User Guide for Cisco Secure Access Control System 5.4

OL-26225-01

Chapter8 Managing Users and I dentity Stores

Configuring Certificate Authentication Profiles

The Trust Certificate page appears without the deleted certificate(s).

To export a trust certificate:

Step1 Select Users and Identity Stores > Certificate Authorities.

The Trust Certificate List page appears with a list of configured certificates.

Step2 Check the box next to the certificates that you want to export.

Step3 Click Export.

This operation exports the trusted certificate to the clien t machine.

Step4 Click Yes to confirm.

You are prompted to install the exported certificate on your client machine.

Related Topics

•User Certificate Authentication, pageB-6

•Overview of EAP-TLS, page B-6

Configuring Certificate Authentication Profiles

The certificate authentication profile defines the X509 certificate information to be used for a certificate-

based access request. You can select an attribute from the certificate to be used as the username.

You can select a subset of the certificate attributes to populate the username field for the context of the

request. The username is then used to identify the user for the remainder of the request, including the

identification used in the logs.

You can use the certificate authentication profile to retrieve certificate data to further validate a

certificate presented by an LDAP or AD client. The username from the certificate authentication profile

is used to query the LDAP or AD identity store.

ACS compares the client certificate against all certificates retrieved from the LDAP or AD identity store,

one after another, to see if one of them matches. ACS either accepts or rejects the request.

Note For ACS to accept a request, only one certificate from either the LDAP or the AD id entity store must

match the client certificate.