Cisco Systems OL-24201-01 manual Configuring Certificate Authentication Profiles

Chapter 8 Managing Users and Identity Stores

Configuring Certificate Authentication Profiles

Related Topic

•Overview of EAP-TLS, page B-6

Exporting a Certificate Authority

To export a trust certificate:

Step 1 Select Users and Identity Stores > Certificate Authorities.

The Trust Certificate List page appears with a list of configured certificates.

Step 2 Check the box next to the certificates that you want to export.

Step 3 Click Export.

This operation exports the trusted certificate to the client machine.

Step 4 Click Yes to confirm.

You are prompted to install the exported certificate on your client machine.

Related Topics

•User Certificate Authentication, page B-6

•Overview of EAP-TLS, page B-6

Configuring Certificate Authentication Profiles

The certificate authentication profile defines the X509 certificate information to be used for a certificate- based access request. You can select an attribute from the certificate to be used as the username.

You can select a subset of the certificate attributes to populate the username field for the context of the request. The username is then used to identify the user for the remainder of the request, including the identification used in the logs.

You can use the certificate authentication profile to retrieve certificate data to further validate a certificate presented by an LDAP or AD client. The username from the certificate authentication profile is used to query the LDAP or AD identity store.

ACS compares the client certificate against all certificates retrieved from the LDAP or AD identity store, one after another, to see if one of them matches. ACS either accepts or rejects the request.

Note For ACS to accept a request, only one certificate from either the LDAP or the AD identity store must match the client certificate.

When ACS processes a certificate-based request for authentication, one of two things happens: the username from the certificate is compared to the username in ACS that is processing the request, or ACS uses the information that is defined in the selected LDAP or AD identity store to validate the certificate information.

You can duplicate a certificate authentication profile to create a new profile that is the same, or similar to, an existing certificate authentication profile. After duplication is complete, you access each profile (original and duplicated) separately, to edit or delete them.