8-71
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 8 Establishing Cisco Secure ACS System Configuration
Cisco Secure ACS Certificate Setup
You trust the passport because you trust the preparation and identity checking that
the particular country’s passport office made when creating that passport. You
trust digital certificates by installing the root certificate CA signature.
If Cisco Secure ACS receives traffic from a wireless AP that has the wrong shared
secret, the error message logged in to the failed attempts log reads “EAP request
has invalid signature.” Three conditions that might cause this to occur are the
following:
• The wrong signature is being used
• A RADIUS packet was corrupted in transit
• Cisco Secure ACS is being attacked
After EAP-TLS authentication successfully concludes, Cisco Secure ACS must
verify that the claimed identity (presented in the EAP Identity response)
corresponds to the certificate presented by the user. Cisco Secure ACS can
accomplish this verification in two ways:
• Certificate Name Comparison—Based on the name in the certificate.
• Certificate Binary Comparison—Between the user certificate stored in the
user object in the LDAP server or Active Directory and the certificate
presented by the user during EAP-TLS authentication.
Note If you use certificate binary comparison, the user certificate must be
stored in Active Directory or an LDAP server, using a binary format.
Also, the attribute storing the certificate must be named
“usercertificate”.
When you set up EAP-TLS, you can select the criterion (one or both) that
Cisco Secure ACS uses. For more information, see Configuring Authentication
Options, page 8-81.
To Next Page
Loading...
Need help?
General