4-11
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter4 Common Scenarios Using ACS
Certificate-Based Network Access
You can create custom conditions to use the certificate’s attributes as a policy condition. See Creating,
Duplicating, and Editing a Custom Session Condition, page 9-5, for details.
Step5 Create an access service. See Configuring Access Services, page 10-11, for more information.
Step6 In the Allowed Protocols Page, choose EAP-TLS or PEAP (EAP-TLS) as inner method.
Step7 Configure identity and authorization policies for the access service. See Configuring Access Service
Policies, page10-22, for details.
Note When you create rules for the identity policy, the result may be the Certificate Authentication
Profile or an Identity Sequence. See Viewing Identity Policies, page10-22, for more
information.
Step8 Configure the Authorization Policies. See Configuring a Session Authorization Policy for Network
Access, page 10-30.
Step9 Configure the Service Selection Policy. See Configuring the Service Selection Policy, page10-5.
Related Topics
Configuring Local Server Certificates, page18-14
Configuring CA Certificates, page8-71
Authentication in ACS 5.4, pageB-1
Overview of EAP-TLS, page B-6
Authorizing the ACS Web Interface from Your Browser Using a Certificate
You use the HTTPS certificate-based authentication to connect to ACS with your browser. The Local
Server Certificate in ACS is used to authorize the ACS web interface from your browser. ACS does not
support browser authentication (mutual authentication is not supported).
Table4-2 Network Access Authentication Protocols
Protocol Action
EAP-TLS In the Allowed Protocols Page, choose Allow EAP-TLS to enable the EAP-TLS settings.
Enable Stateless Session resume—Check this check box to enable the Stateless Session
Resume feature per Access service. This feature enables you to configure the following
options:
Proactive Session Ticket update—Enter the value as a percentage to indicate how much
of the Time to Live must elapse before the session ticket is updated. For example, the
session ticket update occurs after 10 percent of the Time to Live has expired, if you enter
the value 10.
Session ticket Time to Live—Enter the equivalent maximum value in days, weeks,
months, and years, using a positive integer.
PEAP In the Allowed Protocols Page, choose PEAP. For the PEAP inner method, choose EAP-TLS or
PEAP Cryptobinding TLV.