B-33
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
AppendixB Authentication in ACS 5.4
Certificate Attributes
Subject’s ST attribute (State Province)
Subject’s E attribute (eMail)
Subject’s SN attribute (Subject Serial Number)
Issuer I attribute
SAN (Subject Alternative Name)
You can define a policy to set the principle username to use in the TLS conversation, as an attribute that
is taken from the received certificate.
The attributes that can be used as the principle username are:
Subject CN
Subject Serial-Number (SN)
SAN
Subject
SAN—Email
SAN—DNS
SAN—otherName
If the certificate does not contain the configured attribute, authentication fails.
Note ACS 5.4 supports short hard-coded attributes and certificate attribute verification for the only the
EAP-TLS protocol.
Certificate Binary Comparison
You can perform binary comparison against a certificate that ACS receives from an external identity
store and determine the identity store's parameters that will be used for the comparison.
Note In ACS 5.4, AD and LDAP are the only external identity stores that hold certificates.
ACS uses the configured principle username to query for the user's certificate and then perform binary
comparison between the certificate received from external identity store and the one received from the
client. The comparison is performed on a DER certificate format .

Rules Relating to Textual Attributes

ACS collects client certificate textual attributes and places them in the ACS context dictionary. ACS can
apply any rule based policy on these attributes as with any rule attributes in ACS.
The attribute that can be used for rule verification are:
Subject's CN attribute
Subject's O attribute (Organization)
Subject's OU attribute (Organization Unit)
Subject's L attribute (Location)
Subject's C attribute (Country)