Filter
Top Products
8-72
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Configuring Certificate Authentication Profiles
Related Topic
• Overview of EAP-TLS, page B-6
Exporting a Certificate Authority
To export a trust certificate:
Step 1 Select Users and Identity Stores > Certificate Authorities.
The Trust Certificate List page appears with a list of configured certificates.
Step 2 Check the box next to the certificates that you want to export.
Step 3 Click Export.
This operation exports the trusted certificate to the client machine.
Step 4 Click Yes to confirm.
You are prompted to install the exported certificate on your client machine.
Related Topics
• User Certificate Authentication, page B-6
• Overview of EAP-TLS, page B-6
Configuring Certificate Authentication Profiles
The certificate authentication profile defines the X509 certificate information to be used for a certificate-
based access request. You can select an attribute from the certificate to be used as the username.
You can select a subset of the certificate attributes to populate the username field for the context of the
request. The username is then used to identify the user for the remainder of the request, including the
identification used in the logs.
You can use the certificate authentication profile to retrieve certificate data to further validate a
certificate presented by an LDAP or AD client. The username from the certificate authentication profile
is used to query the LDAP or AD identity store.
ACS compares the client certificate against all certificates retrieved from the LDAP or AD identity store,
one after another, to see if one of them matches. ACS either accepts or rejects the request.
Note For ACS to accept a request, only one certificate from either the LDAP or the AD identity store must
match the client certificate.
When ACS processes a certificate-based request for authentication, one of two things happens: the
username from the certificate is compared to the username in ACS that is processing the request, or ACS
uses the information that is defined in the selected LDAP or AD identity store to validate the certificate
information.
You can duplicate a certificate authentication profile to create a new profile that is the same, or similar
to, an existing certificate authentication profile. After duplication is complete, you access each profile
(original and duplicated) separately, to edit or delete them.