Filter
Top Products
B-32
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B Authentication in ACS 5.3
Certificate Attributes
Certificate Attributes
ACS parses the following client certificate’s attributes:
• Certificate serial-number (in binary format)
• Encoded certificate (in binary DER format)
• Subject’s CN attribute
• Subject’s O attribute (Organization)
• Subject’s OU attribute (Organization Unit)
• Subject’s L attribute (Location)
• Subject’s C attribute (Country)
• Subject’s ST attribute (State Province)
• Subject’s E attribute (eMail)
• Subject’s SN attribute (Subject Serial Number)
• SAN (Subject Alternative Name)
You can define a policy to set the principle username to use in the TLS conversation, as an attribute that
is taken from the received certificate.
The attributes that can be used as the principle username are:
• Subject CN
• Subject Serial-Number (SN)
• SAN
• Subject
• SAN—Email
• SAN—DNS
• SAN—otherName
If the certificate does not contain the configured attribute, authentication fails.
Note ACS 5.3 supports short hard-coded attributes and certificate attribute verification for the only the
EAP-TLS protocol.
Certificate Binary Comparison
You can perform binary comparison against a certificate that ACS receives from an external identity
store and determine the identity store's parameters that will be used for the comparison.
Note In ACS 5.3, LDAP is the only external identity store that holds certificates.
ACS uses the configured principle username to query for the user's certificate and then perform binary
comparison between the certificate received from external identity store and the one received from the
client. The comparison is performed on a DER certificate format.