Chapter 8
Establishing Cisco Secure ACS System Configuration
EAP-TLS Setup Overview
Requirements for Certificate Enrollment
78-13751-01, Version 3.0
This section outlines the basic steps necessary to implement EAP-TLS in
Cisco Secure ACS.
•
Obtain, and install on Cisco Secure ACS, a "server" certificate. You can
perform the "server" certificate installation using either the manual
enrollment procedure or automatic enrollment procedure in this section.
Install a certificate for the CA that issued the Cisco Secure ACS "server"
•
certificate. For more information, see the
section on page
8-70.
Ensure that any CA that you want to allow users to employ is listed in the
•
Cisco Secure ACS's certificate trust list (CTL). For more information see the
"Editing the Certificate Trust List" section on page
Verify that users you intend to authenticate using EAP-TLS reside in a
•
database that supports EAP-TLS (CiscoSecure user database, Windows 2000
database, or generic LDAP database only).
Verify that the user account names in Cisco Secure ACS match the subject
•
field in each user certificate.
Confirm that you have configured authentication options for EAP-TLS and
•
then restart Cisco Secure ACS. For more detailed information see the
"Global Authentication Setup" section on page
Cisco Secure ACS supports a variety of PKIs for digital certificate enrollment. To
use the ACS general certificate enrollment feature, the following conditions
apply:
•
You must have a CA capable of handling PKCS #10 certificate requests if you
intend to use Cisco Secure ACS to generate the certificate request.
•
You must only employ certificates that meet the X.509 v3 digital certificate
standard.
•
The certificate's intended purpose must include server authentication.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
Cisco Secure ACS Certificate Setup
"Certification Authority Setup"
8-72.
8-73.
8-63