Filter
Top Products
4-9
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4 Common Scenarios Using ACS
Certificate-Based Network Access
Related Topics
• Authentication in ACS 5.3, page B-1
• Network Devices and AAA Clients, page 7-5
• Managing Access Policies, page 10-1
• Creating, Duplicating, and Editing Access Services, page 10-12
• About PACs, page B-21
Certificate-Based Network Access
This section contains the following topics:
• Overview of Certificate-Based Network Access, page 4-9
• Using Certificates in ACS, page 4-10
• Certificate-Based Network Access for EAP-TLS, page 4-10
For more information about certificate-based protocols, see Appendix B, “Authentication in ACS 5.3.”
Overview of Certificate-Based Network Access
Before using EAP-TLS, you must install a computer certificate on ACS. The installed computer
certificate must be issued from a CA that can follow a certificate chain to a root CA that the access client
trusts.
Additionally, in order for ACS to validate the user or computer certificate of the access client, you must
install the certificate of the root CA that issued the user or computer certificate to the access clients.
ACS supports certificate-based network access through the EAP-TLS protocol, which uses certificates
for server authentication by the client and for client authentication by the server.
Other protocols, such as PEAP or the authenticated-provisioning mode of EAP-FAST also make use of
certificates for server authentication by the client, but they cannot be considered certificate-based
network access because the server does not use the certificates for client authentication.
ACS Public Key Infrastructure (PKI) certificate-based authentication is based on X509 certificate
identification. The entity which identifies itself with a certificate holds a private-key that correlates to
the public key stored in the certificate.
A certificate can be self-signed or signed by another CA. A hierarchy of certificates can be made to form
trust relations of each entity to its CA. The trusted root CA is the entity that signs the certificate of all
other CAs and eventually signs each certificate in its hierarchy.
ACS identifies itself with its own certificate. ACS supports a certificate trust list (CTL) for authorizing
connection certificates. ACS also supports complex hierarchies that authorize an identity certificate
when all of the chain certificates are presented to it.
ACS supports several RSA key sizes used in the certificate that are 512, 1024, 2048, or 4096 bits. Other
key sizes may be used. ACS 5.3 supports RSA. ACS does not support the Digital Signature Algorithm
(DSA). However, in some use cases, ACS will not prevent DSA cipher suites from being used for
certificate-based authentication.
All certificates that are used for network access authentication must meet the requirements for X.509
certificates and work for connections that use SSL/TLS. After this minimum requirement is met, the
client and server certificates have additional requirements.