8-63
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter8 Establishing Cisco Secure ACS System Configuration CiscoSecure ACS Certificate Setup
EAP-TLS Setup OverviewThis section outlines the basic steps necessary to implement EAP-TLS in
Cisco Secure ACS.
•Obtain, and install on Cisco Secure ACS, a “server” certificate. You can
perform the “server” certificate installation using either the manual
enrollment procedure or automatic enrollment procedure in this section.
•Install a certificate for the CA that issued the Cisco Secure ACS “server”
certificate. For more information, see the “Certification Authority Setup”
section on page 8-70.
•Ensure that any CA that you want to allow users to employ is listed in the
Cisco Secure ACS’s certificate trust list (CTL). For more information see the
“Editing the Certificate Trust List” section on page8-72.
•Verify that users you intend to authenticate using EAP-TLS reside in a
database that supports EAP-TLS (CiscoSecure user database, Windows 2000
database, or generic LDAP database only).
•Verify that the user account names in CiscoSecure ACS match the subject
field in each user certificate.
•Confirm that you have configured authentication options for EAP-TLS and
then restart Cisco Secure ACS. For more detailed information see the
“Global Authentication Setup” section on page 8-73.
Requirements for Certificate EnrollmentCisco Secure ACS supports a variety of PKIs for digital certificate enrollment. To
use the ACS general certificate enrollment feature, the following conditions
apply:
•You must have a CA capable of handling PKCS #10 certificate r equests if you
intend to use Cisco Secure ACS to generate the certificate request.
•You must only employ certificates that meet the X.509 v3 digital certificate
standard.
•The certificate’s intended purpose must include server authentication.