Filter
Top Products
B-8
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B Authentication in ACS 5.3
EAP-TLS
An anonymous Diffie-Hellman tunnel relates to the establishment of a completely anonymous tunnel
between a client and a server for cases where none of the peers authenticates itself. ACS runtime
supports anonymous Diffie-Hellman tunnels for EAP-FAST with a predefined prime and a predefined
generator of two. There is no server authentication conducted within anonymous Diffie-Hellman tunnel
cipher-suites.
An authenticated Diffie-Hellman tunnel is similar to an anonymous Diffie-Hellman tunnel. The
additional factor of the authenticated Diffie-Hellman tunnel is that peer authentication is conducted
through an RSA certificate. ACS supports Authenticated-Diffie-Hellman tunnels for EAP-FAST where
the server authenticates by using its own certificate.
Additional client authentications are conducted within the tunnel by using other protocols, such as
EAP-MSCHAPv2 or EAP-GTC for the inner EAP method.
Related Topics
• Configuring Local Server Certificates, page 18-14
• Configuring CA Certificates, page 8-68
• Configuring Certificate Authentication Profiles, page 8-72
PKI Credentials
This section contains the following topics:
• PKI Usage, page B-8
• Fixed Management Certificates, page B-9
• Importing Trust Certificates, page B-9
• Exporting Credentials, page B-11
PKI Usage
ACS supports using certificates for various PKI use cases. The main use case is the EAP-TLS protocol,
where the PKI is used to authenticate not only the server, but also the client (PEAP and EAP-FAST also
make use of certificates for server authentication, but do not perform client authentication). Other
protocols which use the PKI credentials are LDAPS, HTTPS Management protocol, SSH, and SFTP.
For TLS related EAP protocols, a single local certificate is used to authenticate the server for all the TLS
related EAP protocols. You can pick the certificate to use from any of the certificates containing a
private-key in the Local Certificate store.
For other protocols, such as HTTPS, SFTP, and SSH, and for the message-bus ActiveMQ authentication,
a single certificate should be configured to authenticate ACS. You can pick the certificate to use from
any of the certificates containing a private-key in the Local Certificate store. You can configure the same
local certificate for the TLS-related EAP protocols and for HTTPS Management protocol.
For HTTPS, SFTP, SSH and ActiveMQ, an auto-generated self-signed certificates can be used as the
means for server authentication.