Enabling eap-tls authentication – Cisco 3.3 User Manual

10-7

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 10 System Configuration: Authentication and Certificates

About Certification and EAP Protocols

Enabling EAP-TLS Authentication

This procedure provides an overview of the detailed procedures required to
configure Cisco Secure ACS to support EAP-TLS authentication.

Note

End-user client computers must be configured to support EAP-TLS. This
procedure is specific to configuration of Cisco Secure ACS only. For more
information about deploying EAP-TLS authentication, see Extensible
Authentication Protocol Transport Layer Security Deployment Guide for Wireless
LAN Networks at

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/

acstl_wp.htm

.

Before You Begin

For EAP-TLS machine authentication, if you have a Microsoft certification
authority server configured on the domain controller, you can configure a policy
in Active Directory to produce a client certificate automatically when a computer
is added to the domain. For more information, see

Microsoft Knowledge Base

Article 313407, HOW TO: Create Automatic Certificate Requests with Group
Policy in Windows

.

To enable EAP-TLS authentication, follow these steps:

Step 1

Install a server certificate in Cisco Secure ACS. EAP-TLS requires a server
certificate. For detailed steps, see

Installing a Cisco Secure ACS Server

Certificate, page 10-35

.

Note

If you have previously installed a certificate to support EAP-TLS or
PEAP user authentication or to support HTTPS protection of remote
Cisco Secure ACS administration, you do not need to perform this step.
A single server certificate is sufficient to support all certificate-based
Cisco Secure ACS services and remote administration; however,
EAP-TLS and PEAP require that the certificate be suitable for server
authentication purposes.