Cisco Systems OL-24201-01 manual Configuring CA Certificates

Chapter 8 Managing Users and Identity Stores

Configuring CA Certificates

•Configuring Shell Prompts, page 8-66

•Configuring Advanced Options, page 8-68

Configuring Advanced Options

In the Advanced tab, you can do the following:

•Define what an access reject from a RADIUS identity server means to you.

•Enable identity caching.

Table 8-18describes the fields in the Advanced tab of the RADIUS Identity Servers page.

Table 8-18 RADIUS Identity Server - Advanced Tab

This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted by ACS for Identity Policy processing and reporting.

Identity caching is used to allow processing of requests that do not perform authentication against the server. The cache retains the results and attributes retrieved from the last successful authentication for the subject.

Click Submit to save the RADIUS Identity Server.

Related Topics

•RADIUS Identity Stores, page 8-60

•Creating, Duplicating, and Editing RADIUS Identity Servers, page 8-63

Configuring CA Certificates

When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate.

If ACS does not trust the client’s CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates.