Chapter 4 Common Scenarios Using ACS

Certificate-Based Network Access

Related Topics

Authentication in ACS 5.3, page B-1

Network Devices and AAA Clients, page 7-5

Managing Access Policies, page 10-1

Creating, Duplicating, and Editing Access Services, page 10-12

About PACs, page B-21

Certificate-Based Network Access

This section contains the following topics:

Overview of Certificate-Based Network Access, page 4-9

Using Certificates in ACS, page 4-10

Certificate-Based Network Access for EAP-TLS, page 4-10

For more information about certificate-based protocols, see Appendix B, “Authentication in ACS 5.3.”

Overview of Certificate-Based Network Access

Before using EAP-TLS, you must install a computer certificate on ACS. The installed computer certificate must be issued from a CA that can follow a certificate chain to a root CA that the access client trusts.

Additionally, in order for ACS to validate the user or computer certificate of the access client, you must install the certificate of the root CA that issued the user or computer certificate to the access clients.

ACS supports certificate-based network access through the EAP-TLS protocol, which uses certificates for server authentication by the client and for client authentication by the server.

Other protocols, such as PEAP or the authenticated-provisioning mode of EAP-FAST also make use of certificates for server authentication by the client, but they cannot be considered certificate-based network access because the server does not use the certificates for client authentication.

ACS Public Key Infrastructure (PKI) certificate-based authentication is based on X509 certificate identification. The entity which identifies itself with a certificate holds a private-key that correlates to the public key stored in the certificate.

A certificate can be self-signed or signed by another CA. A hierarchy of certificates can be made to form trust relations of each entity to its CA. The trusted root CA is the entity that signs the certificate of all other CAs and eventually signs each certificate in its hierarchy.

ACS identifies itself with its own certificate. ACS supports a certificate trust list (CTL) for authorizing connection certificates. ACS also supports complex hierarchies that authorize an identity certificate when all of the chain certificates are presented to it.

ACS supports several RSA key sizes used in the certificate that are 512, 1024, 2048, or 4096 bits. Other key sizes may be used. ACS 5.3 supports RSA. ACS does not support the Digital Signature Algorithm (DSA). However, in some use cases, ACS will not prevent DSA cipher suites from being used for certificate-based authentication.

All certificates that are used for network access authentication must meet the requirements for X.509 certificates and work for connections that use SSL/TLS. After this minimum requirement is met, the client and server certificates have additional requirements.

User Guide for Cisco Secure Access Control System 5.3

 

OL-24201-01

4-9

 

 

 

Page 72 Page 74
Page 73
Image 73
Cisco Systems OL-24201-01 manual Overview of Certificate-Based Network Access
Page 72 Page 74
Top Page Image Contents